ISO 27001 Lead Implementer Instructor Guide - ITpreneurs (PDFDrive)

Information Security Training
t
rin
Certified ISO/IEC 27001
ep
Lead Implementer
r R
fo
ot
N
l-
ia
er
at
M
e
pl
m
Instructor Guide
Sa
Copyright
t
rin
ISO 27001 Lead Implementer, Classroom course, release 5.0.0
ep
Copyright and Trademark Information for Partners/Stakeholders.
ITpreneurs Nederland B.V. is affiliated to Veridion.
R
Copyright © 2013 ITpreneurs. All rights reserved.
r
fo
Please note that the information contained in this material is subject to change
ot
without notice. Furthermore, this material contains proprietary information that is
protected by copyright. No part of this material may be photocopied, reproduced,
or translated to another language without the prior consent of
ITpreneurs Nederland B.V.
N
The language used in this course is US English. Our sources of reference for
l-
grammar, syntax, and mechanics are from The Chicago Manual of Style, The
American Heritage Dictionary, and the Microsoft Manual of Style for Technical
ia
Publications.
er
at
M
e
pl
m
Sa
Certified ISO/IEC 27001 | Lead Implementer | Instructor Guide
Follow Us
t
rin
Before you start the course, please take a moment to:
ep
“Like us” on Facebook
R
http://www.facebook.com/ITpreneurs
r
fo
“Follow us” on Twitter
http://twitter.com/ITpreneurs
ot
N
"Add us in your circle" on Google Plus
http://gplus.to/ITpreneurs
l-
ia
"Link with us" on Linkedin

er
http://www.linkedin.com/company/ITpreneurs
at
"Watch us" on YouTube

M
http://www.youtube.com/user/ITpreneurs
e
pl
m
Sa
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1

Sa
m
Th p
is le
pa M
ge
haat
seb
reiea
nl l
-efNt b
lan
n
ot k i
fo tent
r R ion
all
e y
pr
in
t
Contents
t
rin
Certified ISO/IEC 27001 Lead Implementer
ep
R
Day 1 ------------------------------------------------------------ 5
Day 2 ------------------------------------------------------------ 135
r
fo
Day 3 ------------------------------------------------------------ 265
ot
Day 4 ------------------------------------------------------------ 389
N
Appendix A: Case Study --------------------------------------- 493
l-
Appendix B: Exercises List ---------------------------------- 501
ia
Appendix C: Correction Key ---------------------------------- 519

er
Appendix D: Release Notes ----------------------------------- 535

at
,QVWUXFWRU)HHGEDFN)RUP
M
e
pl
m
Sa

Sa
m
Th p
is le
pa M
ge
haat
seb
reiea
nl l
-efNt b
lan
n
ot k i
fo tent
r R ion
all
e y
pr
in
t
Day 1
t
rin
ISO 27001Lead Implementer
ep
r R
fo
ot
N
l-
ia
er
at
M
e
pl
m
Sa

t
rin
1
ep
DAY
r R
Certified ISO 27001
fo
Lead Implementer
ot
N
Schedule for Day 1
l-
Section 1 : Course objective and structure
Section 2 : Standard and regulatory framework
Section 3 : Information Security Management System (ISMS)
ia
Section 4 : Fundamental Principles of Information Security

Section 5 : Initiating the ISMS implementation
Section 6 : Understanding the organization and clarifying the information security objectives
er
Section 7 : Analysis of the existing management system

at
M
e
© 2005 PECB
Version 4.5
pl
René St-Germain and Eric Lachapelle (Editor)

Document number: ISMSLID1V4.5
m
Documents provided to participants are strictly reserved for training purposes and are
copyrighted by PECB. Unless otherwise specified, no part of this publication may be, without
Sa
PECB’s written permission, reproduced or used in any way or format or by any means
whether it be electronic or mechanical including photocopy and microfilm.

Normative references used in this training
Main standards
t
ISO 19011:2011, Guidelines for auditing management systems.
rin
ISO/IEC 27000:2009, Information technology — Security techniques — Information
security management systems — Overview and vocabulary.
ISO/IEC 27001:2005, Information Security Management Systems – Requirements.
ISO/IEC 27002:2005, Information technology — Security techniques — Code of practice
ep
for information security management.
security management system implementation guidance.
R
ISO/IEC 27004:2009, Information technology – Security techniques – Information
security management – Measurement.
security risk management.
r
fo
2. Other standard references
ot
ISO Guide 73:2009, Risk management – Vocabulary.
ISO 9000:2005, Quality management systems – Fundamentals and vocabulary.
ISO 9001:2008, Quality management systems – Requirements.
N
ISO 14001:2004, Environmental management systems – Requirements with guidance
for use.
ISO/IEC 17011:2004, Conformity assessment – General requirements for accreditation
l-
bodies accrediting conformity assessment bodies.
ISO 17021:2011, Conformity assessment — Requirements for bodies providing audit
and certification of management systems.
ia
ISO 17024:2003, Conformity assessment — General requirements for bodies operating

certification of persons.
OHSAS 18001:2007, Occupational Health and Safety Management Systems —
er
Requirements.
ISO/IEC 20000-1:2011, Information Technology — Service Management. Information
technology — Part 1: Service management system requirements.
at
ISO/IEC 20000-2:2012, Information technology — Service management — Part 2:

Guidance on the application of service management systems.
M
ISO 22000:2005, Food safety management systems — Requirements for any

organization in the food chain.
ISO 22301:2012, Societal security — Business continuity management systems —
Requirements.
e
ISO/IEC 27006:2011, Information technology — Security techniques — Requirements for

bodies providing audit and certification of information security management systems.
pl
ISO/IEC 27007:2011, Information technology — Security techniques — Guidelines for

information security management systems auditing.
m
ISO/IEC TR 27008:2011, Information technology — Security techniques — Guidelines

for auditors on information security controls.
ISO 28000:2007, Specification for security management systems for the supply chain.
Sa
ISO 31000:2009, Risk Management – Principles and Guidelines.

List of acronyms and abbreviations used in this training
ANSI: American National Standards Institute

BS: British Standard
t
BCMS: Business continuity management system
rin
CERT: Computer Emergency Response Team
CMS: Content Management System
CobiT: Control Objectives for Business and related Technology
COSO: Committee of Sponsoring Organizations of the Treadway Commission
ep
CPD: Continuing Professional Development
DMS: Document Management System
EA: European Co-operation for Accreditation
R
EDM: Electronic Document Management System
EMS: Environment management system
FISMA: Federal Information Security Management Act
GAAS: Generally Accepted Auditing Standards
r
GLBA: Gramm-Leach-Bliley Act
fo
HIPAA: Health Insurance Portability and Accountability Act
IAF: International Accreditation Forum
IFAC: International Federation of Accountants
ot
IMS2: Integrated Implementation Methodology for Management Systems and Standards
ISMS: Information security management system
ISO: International Standards Organization N
ITIL: Information Technology Infrastructure Library
LA: Lead auditor
LI: Lead Implementer
l-
NC: Non-conformity
NIST: National Institute of Standards and Technology
OHSAS: Occupational Health and Safety Assessment Series
ia
OECD: Organization for Economic Co-operation and Development

PCI-DSS: Payment Card Industry Data Security Standard
PDCA: Plan-Do-Check-Act
er
QMS: Quality management system

PECB: Professional Evaluation and Certification Board
ROI: Return on Investment
at
ROSI: Return on Security Investment

SMS: Service management system
M
SoA: Statement of applicability

SOX: Sarbanes-Oxley Act
e
pl
m
Sa

Certified ISO 27001

Lead Implementer Training
Section 1
t
Course objectives and structure
rin
a. Meet and greet
ep
b. General points
c. Training objectives
R
d. Educational approach
e. Examination and certification
f. PECB
r
fo
g. Schedule for the training
ot
2
N
Activity
l-
Meet and greet

ia
er
at
M
e
pl
m
3
Sa
To break the ice, participants introduce themselves stating:
Name;
Current position;
Knowledge of and experience with information security;

Knowledge of and experience with ISO 27001 and other standards of the 27000 family
(27002, 27003, 27004, 27005,...);
Knowledge and experience with other management systems (ISO 9001, ISO 14001, ISO
20000, ISO 22301, etc.);
Course expectations and objectives.
t
rin
Duration of activity: 20 minutes
ep
General Information
r R
fo
Use of mobile phones Use of a computer and Smoking area
and recording devices access to the Internet
ot
N
l-
Timetable and breaks Meals Absences

ia
4
er
For simplification, only the masculine is used throughout this training and is not meant to
offend anyone.
at
In case of emergency, please be aware of exits.

Agree on course schedule and two breaks (be on time).
Set your cell phone on vibration and if you need to take a call, please do it outside the
M
classroom.
Recording devices are prohibited because they may restrict free discussions.
e
pl
m
Sa

Training Objectives
Acquiring knowledge
t
rin
Understand the components and the operation of an
1 Information Security Management System based on ISO
27001 and its principal processes
ep
Understand the goal, content and correlation between ISO
2
R
27001 and ISO 27002 as well as with other standards and
regulatory frameworks
r
Master the concepts, approaches, standards, methods and
fo
3 techniques for the implementation and effective management
of an ISMS
ot
5
N
The main objective of this training is to acquire and/or enhance the knowledge and
competencies to participate in the implementation of an Information Security Management
System based on ISO 27001. From an educational view, competency consists of the
following 3 elements:
l-
Knowledge;
Skill;
ia
Behavior (attitude).
The training focuses on the acquisition of knowledge necessary for the implementation of a
er
compliance framework for ISO 27001 and not on the acquisition of expertise in information
security. Minimal knowledge of information security is however required for successful
completion of the course.
at
This training is not intended as a simple list of the prerequisites of the ISO 27001 standard
and a high-level advice on the implementation approach. In addition to presenting the
M
theoretical knowledge needed by an ISMS project manager, a comprehensive methodology

for the implementation is presented. Thus, at the end of this course, participants will gain
knowledge on how to implement a compliance framework for ISO 27001 and not only on
e
why or what to do.

pl
To obtain more in-depth knowledge of the audit techniques of an ISMS, it is recommended

to take the Certified ISO 27001 Lead Auditor course.
m
Sa

Training Objectives
Development of competencies
t
rin
Interpret the ISO 27001 requirements in the specific context of
1 an organization
ep
Develop the expertise to support an organization to plan,
2 implement, manage, monitor and maintain an ISMS as
specified in ISO 27001
R
Acquire the expertise to advise an organization on information
3 security management best practices
r
fo
S
Strengthen the personal qualities necessary to act with due
4 professional care when conducting a compliance project
pr
ot
6
N
The objective of this training is to ensure that on the day following the end of the training,
the candidate can actively participate at the implementation of a compliance
framework for ISO 27001.
l-
This training focuses on the reality of conducting a compliance project. The case study and
exercises are used to simulate conditions as close as possible to reality.
ia
Regarding attitude, several exercises will allow the candidate to strengthen his personal
qualities necessary for an implementer to act with due professional care during the
er
implementation such as decision-making ability, teamwork, openness of mind, etc.

at
M
e
pl
m
Sa

Educational Approach
Students at the center
t
rin
ep
r R
fo
ot
7
This course is primarily based on:

N
Trainer lead sessions, where questions are welcomed.
Student involvement in various ways: exercises, case studies, notes, reactions,
discussions (participant experiences).
l-
Remember, this course is yours: you are the main players of its success.
ia
Students are encouraged to take additional notes. Extra blank pages are available at the
end of each day notes.
er
Exercises are essential to acquire the skills needed to conduct a the implementation of a
management. It is therefore very important to do them conscientiously. In addition, these
at
exercises prepare students for the final examination.

M
e
pl
m
Sa

Examination
Competency domains
t
rin
1 Fundamental principles of information security
2 Information security control best practice based on ISO 27002
ep
3 Planning an ISMS based on ISO 27001
4 Implementing an ISMS based on ISO 27001
R
Performance evaluation, monitoring and measurement of an ISMS
5 based on ISO 27001
r
6 Continual improvement of an ISMS based on ISO 27001
fo
7 Preparing for an ISMS certification audit
ot
8
N
The objective of the certification examination is to ensure that implementer candidates have
mastered ISMS concepts and techniques so that they are able to participate in ISMS project
assignments. The PECB examination committee shall ensure that the development and
adequacy of the exam questions are maintained based upon current professional practice.
l-
The questions are developed and maintained by a committee of information security

ia
specialists that are all ISO 27001 Lead Implementer certified.
The exam only contains essay questions. The duration of the exam is 3 hours. The
er
minimum passing score is 70%.
All notes and reference documents may be used during the exam excluding the use of a
at
computer.
The exam is available in several languages. When taking the exam, please ask the trainer or
M
check on the PECB website to know the list of available languages.
All seven competency domains are covered by the examination. To read a detailed
e
description of each competency domain, please visit the PECB website.

pl
m
Sa

Certified ISO 27001 Lead Implementer

Prerequisites for certification
t
rin
Pass the exam
1
2 Adhere to the PECB Code of Ethics
3
ep
4 5 years professional experience
5
6 2 years information security
experience
R
300 hours activity
Professional references
r
fo
Certified ISO 27001
Lead Implementer
ot
9
N
Passing the exam is not the only pre-requisite to obtain the credential of “Certified
ISO/IEC 27001 Lead Implementer”. This credential will endorse both the passing the exam
and the validation of the professional experience records. Unfortunately, many people claim
they are ISO 27001 Lead Implementer-qualified following a successful exam, although they
l-
don’t have the required experience level.
ia
The set of criteria and the certification process are explained in details at the last day
of the training.
er
A candidate with lesser experience can apply for the credential of “Certified ISO/IEC 27001
Implementer” or “Certified ISO/IEC 27001 Provisional Implementer”.
at
Important note: Certification fees are included in the examination price. The candidate will
therefore not have to pay any additional costs when applying for certification at their
corresponding experience level, so as to receive one of the professional credentials:
M
Certified ISO/IEC 27001 Provisional Implementer, Certified ISO/IEC 27001 Implementer or

Certified ISO/IEC 27001 Lead Implementer.
e
pl
m
Sa

Certificate
Candidates who met all the prerequisites for
t
certification will receive a certificate:
rin
ep
r R
fo
ot
10
N
After passing the exam, the candidate has a maximum period of three years to apply for one
of the professional credentials related to the ISO 27001 certification scheme.
When the candidate is certified, he will receive, via electronic mail, from PECB a certificate
l-
valid for three years. To maintain his certification, the applicant must demonstrate every year
that he is satisfying the requirements for the assigned credential and abiding to PECB’s
ia
Code of Ethics. To learn more about certificate maintenance and renewal procedure please
visit PECB Website. At the end of the training, more details will be given.
er
An electronic version (in .PDF) course completion certificate which is valid of 31 CPD
(Continuing Professional Development) credits will be issued (sent via email) to participants
after the training.
at
M
e
pl
m
Sa

What is PECB?
Professional Evaluation and Certification Board
t
rin
Main services:
1. Certification of personnel
(Auditor and Implementer)
ep
2. Certification of training organizations
3. Certification of trainers
r R
fo
ot
11
N
Founded in 2005, PECB is a personnel certification body for various standards, including
ISO 9001 (Quality), ISO 14001 (Environment), OHSAS 18001 (Health & Safety), ISO 20000
(IT Service), ISO 22000 (Food safety), ISO 22301 (Business continuity), ISO 26000 (Social
Responsibility), ISO 27001 (Information security), ISO 27005 (Information security risk) and
l-
ISO 28000 (Supply Chain Security).
ia
Our mission is to provide our clients with comprehensive individual examination and
certification services. PECB develops, maintains and continually improves high
quality recognized certification programs. PECB is accredited by ANSI under ISO/IEC
er
17024 (accreditation ID: 1003). PECB is the only personnel certification body certified
ISO 9001 and ISO 27001.
at
The purpose of PECB, as stated in its Bylaws, is to develop and promote professional
standards for certification and to administer credible certification programs for individuals
who practice in disciplines involving the audit and the implementation of a compliant
M
management system. This principal purpose includes:
Establishing the minimum requirements necessary to qualify certified professionals;

e
Reviewing and verifying the qualifications of applicants for eligibility to sit for the
certification examinations;
pl
Developing and maintaining reliable, valid, and current certification examinations;

Granting certificates to qualified candidates, maintaining certificant records, and
publishing a directory of the holders of valid certificates;
m
Establishing requirements for the periodic renewal of certification and determining

compliance with those requirements;
Sa
Ascertaining that certificants meet and continue to meet the PECB Code of Ethics;
Representing its members, where appropriate, in matters of common interest;
Promoting the benefits of certification to employers, public officials, practitioners in
related fields, and the public.

Personnel Certification Bodies

ISO 17024
t
rin
z ISO 17024 specifies the criteria for an organization that
conducts certification of persons in relation to specific
requirements, including developing and maintaining a
ep
certification scheme for persons
z PECB is accredited by ANSI under ISO/IEC 17024
R
z Most of the organizations proposing certifications of
professionals are not accredited certification bodies
r
fo
ot
12
N
The ISO 17024 standard provides a comprehensive framework for certification bodies of
persons such as PECB to operate coherently, comparable and trusted in the world. The
primary function of the certification body of persons is an independent assessment of the
demonstrated experience, knowledge and attitudes of a candidate that are applicable to the
l-
field for which certification is granted.
ia
The ISO 17024 standard provides a uniform set of guidelines for organizations that manage
the qualification and certification of persons, including procedures relating to the preparation
and updating of a certification scheme. The standard is designed to help organizations that
er
carry out certification of persons to conduct well-planned and structured assessments using
objective criteria of competencies and grading to ensure impartiality of operations and
reduce the risk of conflict interest.
at
The ISO 17024 addresses the structure and governance of the certification body, the
characteristics of the certification programme, information that must be made available to
M
candidates and the renewal of the certification of the certification body.
ANSI is the largest and most recognized organization to offer an accreditation program to
e
ISO 17024. PECB is accredited by ANSI under ISO/IEC 17024 (accreditation ID: 1003).
pl
Important note:
PECB is the only personal certification body accredited by ANSI for ISO 27001
certification program. Most of the organizations proposing certifications of professionals
m
are not accredited certification bodies. Only a certification body accredited under ISO 17024
standard ensures an international recognition. It’s important to validate the status of a
Sa
certification body with the associated accreditation authority such as ANSI and UKAS.

Why becoming Certified Implementer?

Advantages
t
rin
Qualifying oneself to manage an ISMS project
ep
Formal and independent recognition of personal
competencies
r R
Certified professionals usually earn
fo
salaries higher than those of non-certified
professionals
ot
13

and reach you professional objectives.
N
An internationally recognized certification can help you maximize your career potential
An international certification is the formal recognition of personal competencies in

l-
improving the performance of organizations.
ia
According to salary surveys published by the Quality Progress magazine in the last five
years, certified professionals have an average salary considerably higher than their
non-certified counterparts.
er
at
M
e
pl
m
Sa

Customer Service
Comments, questions and complaints
t
rin
1. Submit a
complaint
ep
Training
Participant
Provider
2. Answer in
writing
R
4. Final
r
3. Appeal
arbitration
fo
PECB
ot
14
N
In order to ensure your satisfaction and continually improve the training, examination and
certification processes, PECB Customer Service has established a support ticket system for
handling complaints and services for our clients.
l-
As a first step, we invite you to discuss the situation with the trainer. If necessary, do not
hesitate to contact the head of the training organization where you are registered. In all
ia
cases, we remain at your disposal to arbitrate any dispute that might arise between you and
these parties.
er
To send comments, questions or complaints, please open a ticket on PECB’s website in the
Contact Us section.
at
If you have suggestions for improving PECB’s training materials, we'd like to hear from you.
We read and evaluate the input we get from our members. Please open a ticket directed to
Training Department on PECB’s website in the Contact Us section.
M
In case of dissatisfaction with the training (trainer, training room, equipment,...), the
examination or the certification processes, please open a ticket under “Make a complaint”
e
category on PECB’s website in the Contact Us section.

pl
m
Sa

Schedule for the Week
t
rin
ep
r R
fo
ot
15
Section 1 : Course objective and structure

N
Day 1: Introduction to ISO 27001 and initiation of an ISMS
Section 2 : Standard and regulatory framework

Section 3 : Information Security Management System (ISMS)
l-
Section 4 : Fundamental principles of information security
Section 5 : Initiating the ISMS implementation
ia
Section 6 : Understanding the organization and clarifying the information security

objectives
Section 7 : Analysis of the existing management system
er
Day 2: Plan the implementation of the ISMS

Section 8: Leadership and approval of the ISMS project
at
Section 9: ISMS scope

Section 10: Policies for information security
Section 11: Risk assessment
M
Section 12: Statement of Applicability and management decision to implement the ISMS
Section 13: Definition of the organizational structure of information security
e
Day 3: Deploying the ISMS

Section 14: Definition of the document management process
pl
Section 15: Design of security controls and drafting of specific policies & procedures
Section 16: Communication plan
Section 17: Training and awareness plan
m
Section 18: Implementation of security controls

Section 19: Incident Management
Sa
Section 20: Operations Management

Day 4: ISMS measurement, continuous improvement and preparation for certification

audit
Section 21: Monitoring, measurement, analysis and evaluation
Section 22: Internal audit
Section 23: Management review
t
Section 24: Treatment of problems and non-conformities
rin
Section 25: Continual improvement
Section 26: Preparing for the certification audit
Section 27: Competence and evaluation of implementers
Section 28: Closing the training
ep
Questions?
r R
fo
ot
N
l-
ia
er
16
at
M
e
pl
m
Sa

Certified ISO 27001

Lead Implementer Training
Section 2
t
Standard and regulatory framework
rin
a. ISO structure
ep
b. Fundamental ISO principles
c. Information Security Standards
R
d. ISO 27000 family
e. Integrated normative framework
f. Project Management Standards
r
fo
ot
17
N
During this training, we will adopt the following convention: standards will often be
referenced as “ISO XXXX” in the slide instead of their official designation “ISO/IEC
XXXXX:20XX” without specifying their publication date, each referring to its latest version.
l-
ISO documents are copyright protected. Each participant has a responsibility to possess a
legal copy of the standards required for this course. If a standard is included or was given to
ia
you for the period of this training, you must follow the conditions for use stated by ISO.
No part of this publication may be reproduced by any means or use in any way whether it be
er
electronic our mechanical, including photocopies and microfilms, without written permission
from ISO (see address below) or a member of the ISO organization located in the country of
the person of the related organization.
at
Copies of the different ISO standards can be bought online on the ISO website
(www.iso.org) or from the accreditation authority of each country. For example, you can buy
M
ISO standards from ANSI (webstore.ansi.org).
Important note on terminology: Depending on the standard, there are different terms used
e
to refer to specific part of a standard like clause, section, paragraph or chapter. In this
course we will use "clause" to express any reference to a specific part of a norm or standard.
pl
m
Sa

What is ISO?
z ISO is a network of national standardization bodies
t
from over 160 countries
rin
z The final results of ISO works are published as
ep
international standards
z Over 19 000 standards have been published since
R
1947
r
fo
ot
18
History
N
In 1946, delegates from 25 countries met in London and decided to create a new
international organization, of which the object would be "to facilitate the international
coordination and unification of industrial standards". The new organization officially began
l-
operations on 23 February 1947, in Geneva, Switzerland.
ia
The International Standards Organization (ISO) is a non-governmental organization that

holds a special position between the public sector and the private sector. Its members
include national standards organizations who often are part of government structures in their
er
countries or who are mandated by these governments.
Other members belong to the private sector as national partnerships of industry

at
associations.
Goals/Advantages
M
The role of ISO is to facilitate international coordination and the standardization of industrial
standards. To reach these objectives, ISO publishes technical standards. These standards
contribute to the development, manufacturing and delivery of products and services that are
e
more effective, safer and clearer. They facilitate fair trade between countries. In addition,
they bring a technical foundation for health, security, and environmental legislation to
pl
governments; and they help transfer technologies to developing countries. ISO standards
are also used to protect consumers and general users of products and services. These
standards are also used to simplify their lives.
m
Sa
Note on terminology: Because "International Organization for Standardization" would have

different acronyms in different languages ("IOS" in English, "OIN" in French for Organisation
internationale de normalisation), its founders decided to give it also a short, all-purpose
name. They chose "ISO", derived from the Greek isos, meaning "equal".
Source: www.iso.org

How ISO standards are developed?
The national delegations of experts of a committee meet to discuss, debate and argue until
they reach consensus on a draft agreement. The “organizations in liaison” also take part in
t
this work. In some cases, advanced work within these organizations means that substantial
rin
technical development and debate has already occurred, leading to some international
recognition and in this case, a document may be submitted for "fast-track" processing. In
both cases, the resulting document is circulated as a Draft International Standard (DIS) to all
ISO's member bodies for voting and comment.
ep
If the voting is in favor, the document, with eventual modifications, is circulated to the ISO
members as a Final Draft International Standard (FDIS). If that vote is positive, the
R
document is then published as an International Standard. (There is no FDIS stage in the
case of documents processed through the fast track procedure of the joint technical
committee ISO/IEC JTC 1, Information technology.)
r
Every working day of the year, an average of seven ISO technical meetings takes place
fo
around the world. In between meetings, the experts continue the standards' development
work by correspondence. Increasingly, their work is carried out by electronic means, which
speeds up the development of standards and cuts travel costs.
ot
International Standards are developed by a six-step process:
Stage 1: Proposal stage

N
The first step in the development of an International Standard is to confirm that a particular
International Standard is needed. A new work item proposal (NP) is submitted for vote by the
l-
members of the relevant TC or SC to determine the inclusion of the work item in the
programme of work.
ia
The proposal is accepted if a majority of the P-members of the TC/SC votes in favor and if at
least five P-members declare their commitment to participate actively in the project. At this
stage a project leader responsible for the work item is normally appointed.
er
Stage 2: Preparatory stage

Usually, a working group of experts, the chairman (convener) of which is the project leader,
at
is set up by the TC/SC for the preparation of a working draft. Successive working drafts may
be considered until the working group is satisfied that it has developed the best technical
M
solution to the problem being addressed. At this stage, the draft is forwarded to the working
group's parent committee for the consensus-building phase.
Stage 3: Committee stage

e
As soon as a first committee draft is available, it is registered by the ISO Central Secretariat.
It is distributed for comment and, if required, voting, by the P-members of the TC/SC.
pl
Successive committee drafts may be considered until consensus is reached on the technical
content. Once consensus has been attained, the text is finalized for submission as a draft
m
International Standard (DIS).
Stage 4: Enquiry stage

Sa
The draft International Standard (DIS) is circulated to all ISO member bodies by the ISO
Central Secretariat for voting and comment within a period of five months. It is approved for
submission as a final draft International Standard (FDIS) if a two-thirds majority of the P-
members of the TC/SC are in favor and not more than one-quarter of the total number of
votes cast are negative. If the approval criteria are not met, the text is returned to the

originating TC/SC for further study and a revised document will again be circulated for voting
and comment as a draft International Standard.
Stage 5: Approval stage

The final draft International Standard (FDIS) is circulated to all ISO member bodies by the
t
ISO Central Secretariat for a final Yes/No vote within a period of two months. If technical
rin
comments are received during this period, they are no longer considered at this stage, but
registered for consideration during a future revision of the International Standard. The text is
approved as an International Standard if a two-thirds majority of the P-members of the
TC/SC is in favor and not more than one-quarter of the total number of votes cast are
ep
negative. If these approval criteria are not met, the standard is referred back to the
originating TC/SC for reconsideration in light of the technical reasons submitted in support of
the negative votes received.
R
Stage 6: Publication stage
Once a final draft International Standard has been approved, only minor editorial changes, if
and where necessary, are introduced into the final text. The final text is sent to the ISO
r
Central Secretariat which publishes the International Standard.
fo
Reference: www.iso.org
Basic Principles – ISO Standards

ot
N
l-
1. Equal
Equ representation: 1 vote per country
ia
2. V
Voluntary membership: ISO does not have the
authority to force adoption of its standards
auth
Basic
er
principles of 3. Business orientation: ISO only develops

sta
standards for which a market demand exists
ISO
at
standards 4. C
Consensus approach: looking for a large
con
consensus among the different stakeholders
M
5. International
Inter cooperation: over 160 member
countri
countries plus liaison bodies
e
pl
19
ISO basic principles

m
1. Equal representation: Every ISO member (full-fledged member) has the right to
participate in the development of any standard it deems important to the economy of its
Sa
country. Whatever the size or strength of the economy, each participating member can claim
their right to vote. ISO activities are thus carried out in a democratic structure where member
countries are on the same footing in terms of their influence on work orientation.

2. Voluntary: Adoption of ISO standards is voluntary. As a non-governmental organization,

ISO has no legal authority for their implementation. A percentage of ISO standards – more
particularly those related to health, security and the environment – have been adopted in
several countries as part of the regulatory framework, or are mentioned in the legislation for
which they act as a technical basis. Such adoptions are sovereign decisions by regulatory
t
organizations or governments.
rin
ISO itself does not regulate, or legislate. However, although ISO standards are voluntary,
they can become a market requirement, as is the case with ISO 9001 or with freight
container dimensions, the traceability of food products, etc.
ep
3. Business orientation: ISO only develops standards for which a market demand exists.
R
Work is carried out by experts in the related industrial, technical and business sectors.
These experts may be joined by other experts holding the appropriate knowledge such as
public organizations, academic world and testing laboratories. ISO launches the
development of new standards in response to sectors and stakeholders that express a
r
clearly established need for them.
fo
An industry sector or other stakeholder group typically communicates its requirement for a
standard to one of ISO's national members. The latter then proposes the new work item to
ot
the relevant ISO technical committee developing standards in that area. New work items
may also be proposed by organizations in liaison with such committees. When work items do
not relate to existing committees, proposals may also be made by ISO members to set up
N
new technical committees to cover new fields of activity.
4. Consensus approach: ISO standards are based on a representative consensus

l-
approach of the different stakeholders (experts, industries, researchers, governments, etc.).
This ensures a larger circulation and a greater application. ISO standards are developed by
technical committees, (subcommittees or project committees) comprising experts from the
ia
industrial, technical and business sectors which have asked for the standards, and which
subsequently put them to use. These experts may be joined by representatives of
government agencies, testing laboratories, consumer associations, non-governmental
er
organizations and academic circles.
Proposals to establish new technical committees are submitted to all ISO national member
at
bodies, who may opt to be participating (P), observer (O) or non-members of the committee.
The secretariat (i.e. the body providing the administrative support to the work of the
M
committee) is allocated by the Technical Management Board (which itself reports to the ISO
Council), usually to the ISO member body which made the proposal. The secretariat is
responsible for nominating an individual to act as chair of the technical committee. The chair
is formally appointed by the Technical Management Board.
e
Experts participate as national delegations, chosen by the ISO national member body for the
pl
country concerned. National delegations are required to represent not just the views of the
organizations in which their participating experts work, but those of other stakeholders too.
m
National delegations are usually based on and supported by national mirror committees to
which the delegations report.
Sa
According to ISO rules, the national member body is expected to take account of the views
of all parties interested in the standard under development. This enables them to present a
consolidated, national consensus position to the technical committee.
International and regional organizations from both business and the public sector may apply
for liaison status to participate in developing a standard, or to be informed about the work.

Such “organizations in liaisons” are accepted through voting by the relevant ISO committee.
They may comment on successive drafts, propose new work items or even propose
documents for “fast tracking” , but they have no voting rights.
5. International cooperation: ISO standards are technical agreements that bring, at the
t
international level, technological compatibility structures. Developing a technical consensus
rin
on an international scale is a major activity. 3 000 technical ISO groups are identified
(technical committees, subcommittees, work groups, etc.) within which 50 000 experts take
part in developing standards annually.
ep
Source: www.iso.org
R
Eight ISO Management Principles
r
fo
ot
N
l-
ia
er
20
at
Customer focus: Organizations depend on their customers and therefore should

understand current and future customer needs, should meet customer requirements and
M
strive to exceed customer expectations.

Management system implications
Researching and understanding customer needs and expectations.
Ensuring that the objectives of the organization are linked to customer needs and
e
expectations.
pl
Communicating customer needs and expectations throughout the organization.

Systematically managing customer relationships.
Ensuring a balanced approach between satisfying customers and other interested
m
parties (such as owners, employees, suppliers, financiers, local communities and

society as a whole).
Sa
Leadership: Leaders establish unity of purpose and direction of the organization. They
should create and maintain the internal environment in which people can become fully
involved in achieving the organization's objectives.

Considering the needs of all interested parties including customers, owners,

employees, suppliers, financiers, local communities and society as a whole.
Establishing a clear vision of the organization's future.
Setting challenging goals and targets.
Creating and sustaining shared values, fairness and ethical role models at all levels
t
of the organization.
rin
Establishing trust and eliminating fear.
Providing people with the required resources, training and freedom to act with
responsibility and accountability.
Inspiring, encouraging and recognizing people's contributions.
ep
Involvement of people: People at all levels are the essence of an organization and their
full involvement enables their abilities to be used for the organization's benefit.
R
People understanding the importance of their contribution and role in the
organization.
People identifying constraints to their performance.
r
People accepting ownership of problems and their responsibility for solving them.
fo
People evaluating their performance against their personal goals and objectives.
People actively seeking opportunities to enhance their competence, knowledge and
experience.
ot
People freely sharing knowledge and experience.
People openly discussing problems and issues.

related resources are managed as a process.
N
Process approach: A desired result is achieved more efficiently when activities and

l-
Systematically defining the activities necessary to obtain a desired result.
Establishing clear responsibility and accountability for managing key activities.
Analyzing and measuring of the capability of key activities.
ia
Identifying the interfaces of key activities within and between the functions of the
organization.
Focusing on the factors such as resources, methods, and materials that will
er
improve key activities of the organization.

Evaluating risks, consequences and impacts of activities on customers, suppliers
and other interested parties.
at
System approach to management: Identifying, understanding and managing

M
interrelated processes as a system contributes to the organization's effectiveness and

efficiency in achieving its objectives.
Structuring a system to achieve the organization's objectives in the most effective
e
and efficient way.

Understanding the interdependencies between the processes of the system.
pl
Structured approaches that harmonize and integrate processes.

Providing a better understanding of the roles and responsibilities necessary for
m
achieving common objectives and thereby reducing cross-functional barriers.

Understanding organizational capabilities and establishing resource constraints
prior to action.
Sa
Targeting and defining how specific activities within a system should operate.
Continually improving the system through measurement and evaluation.

6. Continual improvement: Continual improvement of the organization's overall

performance should be a permanent objective of the organization.
Employing a consistent organization-wide approach to continual improvement of the
organization's performance.
t
Providing people with training in the methods and tools of continual improvement.
rin
Making continual improvement of products, processes and systems an objective for
every individual in the organization.
Establishing goals to guide, and measures to track, continual improvement.
Recognizing and acknowledging improvements.
ep
Factual approach to decision making: Effective decisions are based on the analysis
of data and information.
R
Ensuring that data and information are sufficiently accurate and reliable.
Making data accessible to those who need it.
Analyzing data and information using valid methods.
r
Making decisions and taking action based on factual analysis, balanced with
fo
experience and intuition.
Mutually beneficial supplier relationships: An organization and its suppliers are
ot
interdependent and a mutually beneficial relationship enhances the ability of both to
create value.
Management system implications N
Establishing relationships that balance short-term gains with long-term
considerations.
Pooling of expertise and resources with partners.
l-
Identifying and selecting key suppliers.
Clear and open communication.
Sharing information and future plans.
ia
Establishing joint development and improvement activities.

Inspiring, encouraging and recognizing improvements and achievements by
suppliers.
er
Source: www.iso.org
at
M
e
pl
m
Sa

Management System Standards

Primary standards against which an organization can be
certified
t
rin
ISO 9001 ISO 14001 OHSAS 18001 ISO 20000
Quality Environment Health and Safety IT Service
ep
at work
R
ISO 22000 ISO 22301 ISO 27001 ISO 28000
r
Food Safety Business Information Supply Chain
fo
continuity security Security
ot
21
N
Since 1947 ISO has published over 19 000 international standards. ISO publishes standards
related to traditional activities such as agriculture and construction, media devices and the
most recent development in information technologies, such as the digital coding of
audiovisual signals for multimedia applications.
l-
ISO 9000 and ISO 14000 families are among the best known ISO standards. The ISO 9000
ia
standard has become an international reference in regard to the quality requirements in

commerce and business transactions. The ISO 14000 standard, for its part, is used to help
organizations meet challenges of an environmental nature.
er
ISO 9001 is related to quality management. It contains the good practices that aim to
at
improve customer satisfaction, achievement of customer requirements and regulatory

requirements as well as continuous improvement actions in those fields. In December of
2009, 1 064 785 organizations were ISO 9001 certified (China having the most certified
M
organizations: 257 076).
ISO 14001 is mainly related to environmental management. It defines the actions that the
e
organization can implement for the maximum reduction of negative impacts of its activities
on the environment and for the continuous improvement of its environmental performance. In
pl
December 2009, 223 149 organizations were ISO 14001 certified (China having the most
certified organizations: it had in 2009, 55 316; Japan is second with 39 556 certified
organizations).
m
OHSAS 18001 (OHSAS = Occupational Health and Safety Assessment Series) identifies
Sa
best practices for the rigorous management and effective protection of the occupational
health and safety. In spite of the publication of the ISO 18001 standard after various
disagreements within the ISO organization to create a management standard for health and
safety, OHSAS 18001 is the de facto standard for health and safety at the enterprise.
OHSAS 18001 is a private norm. It was developed from existing national standards (BS

8800, UNE 81900, VCA) and standards published by different certification bodies (OHSMS,
SafetyCert, SMS 8800).
ISO 20000-1 defines the requirements that an information technology service provider must
apply. This standard applies to service providers regardless of the organization’s size or
t
type. The standard consists of two parts. The first part defines the specifications the
rin
organization shall apply to obtain certification. The second part (ISO 20000-2) explains the
different practices or recommendations to reach the objectives previously defined.
ISO 22000 creates and manages a food safety management system (FSMS). This standard
ep
applies to all organizations that are involved in any aspects of the food supply chain and
want to implement a system to continuously provide safe food. This standard focuses on
personnel competencies, continuous information research about food products (new
R
legislations, standards, rules…). Organizations must perform a HACCP (Hazard Analysis
Critical Control Point) to identify, analyze and evaluate the risks for food safety. For each risk
that has been defined as significant, the organization must define controls to implement.
r
ISO 22301 defines the requirements that an organization must apply to certify a Business
fo
Continuity Management System (BCMS). To comply with the requirements of this standard
the organization needs to document a model to develop, implement, operate, monitor,
review, maintain and improve a BCMS to increase the resilience of an organization in case
ot
of a disaster. This standard is compatible with PAS 22399 (Guideline for incident
preparedness and operational continuity management) and BS 25999 (British Standard on
business continuity). N
ISO 27001 defines the requirements that an organization must apply to provide a model for
establishing, implementing, operating, monitoring, reviewing, maintaining and improving an
l-
Information Security Management System (ISMS). An ISMS is a framework of policies and
procedures that includes all legal, physical and technical controls involved in an
organization's information risk management processes. The ISO 27001 standard does not
ia
mandate specific information security controls, but it provides a checklist of controls that
should be considered in the accompanying code of practice, ISO 27002. This second
standard describes a comprehensive set of information security control objectives and a set
er
of generally accepted good practice security controls.
ISO 28000 prescribes the requirements applicable to a security management system of the
at
supply chain. An organization has to define, implement, maintain, and improve a supply
chain security management system during each step of production: manufacturing,
M
maintenance, storage or transport of goods.

e
pl
m
Sa

Integrated Management System

Common structure of ISO standards
t
rin
ISO ISO ISO ISO ISO
Requirements
9001:2008 14001:2004 20000:2011 22301:2012 27001:2005
Objectives of the
5.4.1 4.3.3 4.5.2 6.2 4.2.1
management system
ep
Policy of the
5.3 4. 2 4.1.2 5.3 4.2.1
management system
Management
5.1 4.4.1 4.1 5.2 5
commitment
R
Documentation
4.2 4.4 4.3 7.5 4.3
requirements
r
Internal audit 8.2.2 4.5.5 4.5.4.2 9.2 6
fo
Continual
8.5.1 4.5.3 4.5.5 10 8
improvement
Management review 5.6 4.6 4.5.4.3 9.3 7
ot
22
N
More and more organizations have to manage several compliance frameworks
simultaneously. To simplify the work, to avoid conflicts and to reduce duplication of
documents, it is recommended to implement an integrated management system. An
integrated management system (IMS) is a management system which integrates all
l-
components of a business into one coherent system so as to enable the achievement of its
purpose and mission. The table in the slide presents certain requirements that are common
ia
to all management systems.
There are several good reasons for integration, to:

er
harmonize and optimize practices

eliminate conflicting responsibilities and relationships
balance conflicting objectives
at
formalize informal systems

reduce duplication and therefore costs
reduce risks and increase profitability
M
turn the focus into business goals

create consistency
improve communication
e
facilitate training and awareness

pl
Important note: In June 2009, the Technical Steering Committee of ISO adopted a
resolution asking the committees involved in the development of standards to specify the
requirements of a management system (ISO 14001, ISO 22000, ISO 27001, etc.) by
m
following a common structure of clauses in line with ISO 9001. This Directive is applicable to
the versions published after 2011. So the common elements to every management system
Sa
will have the same reference. The main objective is to facilitate the combined management
of a normative framework for an organization.

Other Information Security Standards

Examples
t
rin
ep
r R
fo
ot
23
N
As of March 2012, there are 106 published ISO standards on information security (JTC 1/SC
27 technical committee) including the following examples:
ISO 9798: This standard specifies a general model including the requirements and
l-
constraints for the use of identity authentication mechanisms. These mechanisms are used
in to demonstrate that an entity is who it claims to be. Details on the different mechanisms
ia
are explained in different parts of this standard.
ISO 11770: This standard defines a general model for key management independent of the
er
cryptographic algorithm used. This standard addresses both the automatic and manual key
and the required sequence of operations. However, it does not specify details on the
interface protocols needed for the operations.
at
ISO 15408: Under the general title Common Criteria, the scope of this standard is the use of
it as a basis to evaluate the security properties of products and systems of Information
M
Technology (IT). A free copy can be downloaded from the ISO website.
It contains the following parts:
Part 1: Introduction and general model;
e
Part 2: Security functional components;

Part 3: Security assurance components.
pl
ISO 21827 specifies the Systems Security Engineering - Capability Maturity Model® (SSE-
CMM®), which describes the essential characteristics of an organization's security
m
engineering process that must exist to ensure good security. ISO 21827 does not prescribe
a particular process or sequence, but captures practices generally observed in industry. The
Sa
objective is to facilitate an increase of maturity of the security engineering processes within

the organization.
ISO 24761 specifies the structure and elements of a mechanism for authentication using
biometrics in the verification process.

ISO 27033 provides an overview of network security and related definitions. It defines and
describes the concepts associated with network security. The various parts of ISO 27033
address specific topics related to network security.
t
rin
History of the ISO 27001 Series
Important dates
ep
R
2008+
2007
2005
2000
1998
r
1995
1990 ISO 27006
Publication of
fo
other standards
New Version of Certification of the
ISO 17799 ISO 17799 27000 family
organization
BS7799-2 ISO 27001
Best practices requirements
BS7799-1 ISMS publication
code Revision to
Code of best certification
Code of best schema ISO 27001 &
practises practices
(Published by a ISO 27002
ot
group of in progress
companies)
N
24
l-
Beginning of the1990s
An industry need expressed in terms of better practices and controls to support trade and
ia
government in the implementation and improvement of information security;

Ministry of Commerce and Industry (United Kingdom) forms a work group grouping
er
together directors with experience in information security;

Publication of a collective work of advice on the management of information security.
at
1992
Guide of good practices of the industry (September) initially published as a British
Standard Institute (BSI) publication;
M
This guide was the basis for the British Standard: BS 7799-1.
1995
BS 7799-1:1995 published as a British standard.
e
pl
1996 - 1997
Identification of a need to increase the level of confidence in the BS 7799 standard;
The industry request a certification programme for an ISMS.
m
1998
Launch of the ISMS certification model (Published as BS 7799-2:1998).
Sa
1999
Revision of BS 7799-1:1999 (updates and addition of new security controls):
New security controls: e-commerce, mobile IT, third-party agreements;
Suppression of specific references to United Kingdom.

BS 7799-2:1999 (Alignment of controls to BS7799-1).
2000
Publication of ISO 17799:2000.
t
2002
rin
Launch of BS 7799-2:2002.
The main updates are:
Integration of the Plan-Do-Check-Act (PDCA) Model;
ISO 17799 controls included as an annex to the standard;
ep
Annex demonstrating the connection between BS7799-2, ISO 9001 and ISO
14001.
R
2005
Publication of the new version of ISO 17799:2005.
Publication of ISO 27001:2005, which replaces BS7799-2, and contains:
ISMS specifications;
r
ISO 17799 controls in standard annex;
fo
Annex demonstrating the connection between ISO 9001 and ISO 14001.
2007
ot
Publication of ISO 27002:2005 replacing ISO 17799:2005 (No change in the content, just
identification number);
Publication of ISO 27006:2007 (Requirements for bodies providing audit and certification
N
of information security management systems).
2008
l-
Publication of ISO 27005:2008 (Information security risk management);
Publication of ISO 27011:2008 (Information security management guidelines for
telecommunications organizations based on ISO 27002).
ia
2009
Publication of ISO 27000:2009 (Information security management systems -- Overview
er
and vocabulary);
Publication of ISO 27004:2009 (Information security management – Measurement);
Publication of ISO 27033-1:2009 (Network security -- Part 1: Overview and concepts).
at
2010
M
Publication of ISO 27003:2010 (Information security management system

implementation guidance);
Publication of ISO 27033-3:2010 (Network security -- Part 3: Reference networking
scenarios -- Threats, design techniques and control issues).
e
2011
pl
Publication of ISO 27005:2011 (Information security risk management);

Publication of ISO 27006:2011 (Requirements for bodies providing audit and certification
m
of information security management systems);

Publication of ISO 27007:2011 (Guidelines for information security management systems
auditing);
Sa
Publication of ISO 27008:2011 (Network security -- Part 3: Reference networking

scenarios -- Threats, design techniques and control issues).

ISO 27000 Family
t
Vocabulary
rin
ISO 27000
Vocabulary
Requirements
ISO 27001 ISO 27006
ep
ISMS Certification
requirements organization
requirements
General
R
guides
ISO 27002 ISO 27003 ISO 27004 ISO 27005 ISO 27007-27008
Code of Implementation Metrics Risk Audit guides
practices guide management
r
Industry
guides
ISO 27011 ISO 27799 ISO 270XX

Telecommunications Health others
fo
ot
25
N
Resulting from International workgroup reflections dedicated to the information security
scope, the ISO 27000 family is progressively published since 2005. ISO 27001:2005 is the
only certifiable standard of the ISO 27000 family. The other standards are guidelines.
l-
ISO 27000: This information security standard develops the basic concepts as well as
the vocabulary that applies when analyzing Information Security Management Systems.
ia
A free copy of this standard can be downloaded from the ISO website.
ISO 27001: This information security standard defines the requirements of the
Information Security Management Systems (ISMS).
er
ISO 27002 (previously ISO 17799): Guide of best practices for the management of
information security. This standard defines objectives and recommendations in terms of
information security and anticipates meeting global concerns of organizations relating to
at
information security for their overall activities.

ISO 27003: Guide for implementing or setting up an ISMS.
ISO 27004: Guide of metrics to facilitate ISMS management, it provides a method to
M
define the objectives for implementation and effectiveness criteria, of follow-up and
evolution measurements all through the process.
ISO 27005: Guide for information security risk management which complies with the
e
concepts, models and general processes specified in ISO 27001.

ISO 27006: Guide for organizations auditing and certifying ISMS’s.
pl
ISO 27007: Guidelines for information security management systems auditing.

ISO 27008: Guidelines for auditors on information security controls.
ISO 27011: Guidelines for the use of ISO 27002 in telecommunication industry.
m
ISO 27031: Guidelines for information and communication technology readiness for
business continuity.
Sa
ISO 27799: Guidelines for the use of ISO 27002 in health informatics.

ISO 27001
z Specifies requirements for
t
ISMS management
rin
(Clause 4 to 8)
z Requirements (clauses) are
ep
written using the imperative
verb “shall”
z Annex A: 11 clauses containing
R
39 control objectives and 133
controls
r
z Organization can obtain
fo
certification against this
standard
ot
26
ISO 27001:
N
A set of normative requirements for the establishment, implementation, operation,
monitoring and review to update and improve a Information Security Management
System (ISMS);
l-
A set of requirements for selecting security controls tailored to the needs of each
organization based on industry best practices;
ia
A management system that is integrated in the overall risk framework associated with the
activity of the organization;
An internationally-recognized process, defined and structured to manage information
er
security;
An international standard to suit all types of organizations (e.g. commercial enterprises,
government agencies, nonprofit organizations ...), of all sizes in all industries.
at
ISO 27001, clause 0.1: General

This International Standard has been prepared to provide a model for establishing,
M
implementing, operating, monitoring, reviewing, maintaining and improving an Information

Security Management System (ISMS). The adoption of an ISMS should be a strategic
decision for an organization. The design and implementation of an organization’s ISMS is
e
influenced by their needs and objectives, security requirements, the processes employed
and the size and structure of the organization. These and their supporting systems are
pl
expected to change over time. It is expected that an ISMS implementation will be scaled in
accordance with the needs of the organization, e.g. a simple situation requires a simple
ISMS solution.
m
This International Standard can be used in order to assess conformance by interested

Sa
internal and external parties.

ISO 27001 Lead Implementer Instructor Guide - ITpreneurs (PDFDrive)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 27001 Lead Implementer Instructor Guide - ITpreneurs (PDFDrive)

Uploaded by

Copyright:

Available Formats

Information Security Training

ITpreneurs Nederland B.V. is affiliated to Veridion.

"Link with us" on Linkedin

"Watch us" on YouTube

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1

Day 2 ------------------------------------------------------------ 135

Appendix C: Correction Key ---------------------------------- 519

Appendix D: Release Notes ----------------------------------- 535

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 3

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 5

Section 4 : Fundamental Principles of Information Security

Section 7 : Analysis of the existing management system

René St-Germain and Eric Lachapelle (Editor)

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 6

Normative references used in this training

 ISO 17024:2003, Conformity assessment — General requirements for bodies operating

 ISO/IEC 20000-2:2012, Information technology — Service management — Part 2:

 ISO 22000:2005, Food safety management systems — Requirements for any

 ISO/IEC 27006:2011, Information technology — Security techniques — Requirements for

 ISO/IEC 27007:2011, Information technology — Security techniques — Guidelines for

 ISO/IEC TR 27008:2011, Information technology — Security techniques — Guidelines

 ISO 31000:2009, Risk Management – Principles and Guidelines.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 7

List of acronyms and abbreviations used in this training

ANSI: American National Standards Institute

OECD: Organization for Economic Co-operation and Development

QMS: Quality management system

ROSI: Return on Security Investment

SoA: Statement of applicability

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 8

Certified ISO 27001

Meet and greet

To break the ice, participants introduce themselves stating:

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 9

Timetable and breaks Meals Absences

 In case of emergency, please be aware of exits.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 10

theoretical knowledge needed by an ISMS project manager, a comprehensive methodology

why or what to do.

To obtain more in-depth knowledge of the audit techniques of an ISMS, it is recommended

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 11

implementation such as decision-making ability, teamwork, openness of mind, etc.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 12

This course is primarily based on:

exercises prepare students for the final examination.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 13

2 Information security control best practice based on ISO 27002

4 Implementing an ISMS based on ISO 27001

The questions are developed and maintained by a committee of information security

specialists that are all ISO 27001 Lead Implementer certified.

minimum passing score is 70%.

check on the PECB website to know the list of available languages.

description of each competency domain, please visit the PECB website.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 14

Certified ISO 27001 Lead Implementer

Certified ISO/IEC 27001 Provisional Implementer, Certified ISO/IEC 27001 Implementer or

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 15

Candidates who met all the prerequisites for

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 16

management system. This principal purpose includes:

 Establishing the minimum requirements necessary to qualify certified professionals;

 Developing and maintaining reliable, valid, and current certification examinations;

 Establishing requirements for the periodic renewal of certification and determining

ISO 17024:2003, Conformity assessment — General requirements for bodies operating

ISO/IEC 20000-2:2012, Information technology — Service management — Part 2:

ISO 22000:2005, Food safety management systems — Requirements for any

ISO/IEC 27006:2011, Information technology — Security techniques — Requirements for

ISO/IEC 27007:2011, Information technology — Security techniques — Guidelines for

ISO/IEC TR 27008:2011, Information technology — Security techniques — Guidelines

ISO 31000:2009, Risk Management – Principles and Guidelines.

In case of emergency, please be aware of exits.

Establishing the minimum requirements necessary to qualify certified professionals;

Developing and maintaining reliable, valid, and current certification examinations;

Establishing requirements for the periodic renewal of certification and determining

An international certification is the formal recognition of personal competencies in

Section 1 : Course objective and structure

Section 2 : Standard and regulatory framework

Section 6 : Understanding the organization and clarifying the information security

Section 9: ISMS scope

Section 18: Implementation of security controls

Section 20: Operations Management

Customer focus: Organizations depend on their customers and therefore should

Communicating customer needs and expectations throughout the organization.

Considering the needs of all interested parties including customers, owners,

System approach to management: Identifying, understanding and managing

Structured approaches that harmonize and integrate processes.

Mutually beneficial supplier relationships: An organization and its suppliers are

Establishing joint development and improvement activities.