Professional Documents
Culture Documents
in
.in
ac
cd
1
ISM02001ENIN
Copyright © 2022 BSI. v2.0 Oct 2022
All rights reserved.
c@
jin
Delegate Workbook
hi
-s
This material is for the personal use of a delegate attending a course presented by BSI.
No part of the materials may be reproduced, stored electronically, or transmitted in any form or by any
means without the prior written consent of BSI.
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 1
Restrooms
.in
ac
Designated smoking areas
cd
2
Copyright © 2022 BSI. All rights reserved.
c@
Please observe the following key points for your classroom training:
jin
For your personal safety, please be aware of the emergency exits from your classroom and the
hi
building.
-s
Please do not leave valuable items unattended in the classroom. Keep them with you or make other
arrangements for their safekeeping.
dr
an
Please be considerate of other delegates and avoid distractions from the beeping/ flashing of your
mobile phone.
ch
Please do not use recording devices since they may restrict free discussion.
ijin
The tutor will inform you of the lunch and break schedule. Please return to class on time.
sh
The tutor will inform delegates of any area(s) known to be available for smoking.
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 2
Course structure
Materials:
• Slides
• Reference materials
• Loan copy of ISO/IEC 27001
Course format:
• Activities
.in
• Discussions
ac
cd
3
Copyright © 2022 BSI. All rights reserved.
c@
The tutor will explain the outline or flow of the course.
jin
This course consists of tutorials, delegate activities and discussions.
hi
Your delegate workbook contains all printed materials related to this course, including slides, activities
-s
and reference materials. Sample answers to the activities are also in the back of your workbook.
Please only refer to the answers for each activity after completing it, or if you’re really stuck.
an
You will get the most out of this course by being an active participant, asking questions and engaging
dr
in discussions and activities. Remember there are no silly questions and please feel free to seek the
an
All references to ‘the standard’, ‘27001’ or ‘ISO 27001’ unless otherwise specified refer to ISO/IEC
27001:2022.
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 3
Day 1 Day 2
.in
ac
cd
4
Copyright © 2022 BSI. All rights reserved.
c@
Two short breaks will be taken at suitably convenient times in the morning and afternoon. Forty-five
minutes will be given for a lunch break. Additional breaks may be taken as long as agreed by
jin
delegates and tutor, and all learning objectives are met. Course activities will be at the tutor’s
hi
discretion, depending on time and delegate needs. Finish times may therefore differ to those
advertised.
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 4
Benefits to you
This course will help you:
.in
Attract and retain customers by
meeting their current and future
ac
needs better
cd
5
Copyright © 2022 BSI. All rights reserved.
c@
Delegates will develop an understanding of how ISO 27001 can provide a systematic framework to
improve overall organizational performance when managing information. jin
hi
Upon completion of the course, delegates will appreciate how consistent and predictable results can
be more effectively and efficiently delivered by the promotion/application of the process approach,
-s
Risk-based thinking has been included in the requirements of ISO 27001, and delegates will benefit
from an understanding of this approach; especially when defining the rigor and degree of formality
dr
Your learning will be through an activity-based, delegate centred approach. This will help you share
ch
experiences and knowledge with other attendees; bringing alive the information presented and
resulting in enhanced retention and application to your own workplace.
ijin
Delegates will also be able to recognize the new harmonized approach, developed by ISO, to improve
sh
You have the full support and training from a world-class BSI tutor also at your disposal.
We hope you very much enjoy the course and take back valuable knowledge to your workplace.
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 5
.in
10
ac
Introductions
cd
6
Copyright © 2022 BSI. All rights reserved.
c@
Your tutor(s) will introduce themselves.
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 6
Course aim
To gain an understanding of effective
information security management,
by using a systematic framework to
protect the:
• confidentiality;
• integrity;
• and availability
.in
ac
cd
7
Copyright © 2022 BSI. All rights reserved.
c@
To gain an understanding of effective information security management, by using a systematic
framework to protect the confidentiality, integrity and availability of your information and that of your
jin
interested parties.
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 7
Learning objectives
Upon completion of this training, delegates
will be able to:
Explain key elements of a management
system implementation process
Identify a typical framework for
implementing ISO/IEC 27001 following
the PDCA cycle
Conduct a base line review of the
organizations current position with
regard to ISO/IEC 27001
Interpret the requirements of ISO/IEC
27001 from an implementation
perspective in the context of their
organization
Implement key elements of ISO/IEC
.in
27001
ac
cd
8
Copyright © 2022 BSI. All rights reserved.
c@
Learning objectives describe in outline what delegates will know by the end of the course.
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 8
.in
ac
cd
9
Copyright © 2022 BSI. All rights reserved.
c@
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 9
Implementing a
Management System
Stage 1:
“Where we are”
Stage 2:
“Implement and operate”
Act Plan
Stage 3:
“Manage and improve”
.in
Check Do
ac
cd
10
Copyright © 2022 BSI. All rights reserved.
c@
ISO/IEC 27001 may be seen as adopting a process approach for establishing, implementing,
maintaining and continually improving an ISMS. This approach is often referred to as the Plan, Do,
jin
Check, Act (PDCA) model, and can be applied to all ISMS processes.
hi
• (Plan) Establish the ISMS by understanding the organization’s information security requirements,
-s
requirements from interested parties and create policies, processes and procedures.
• (Do) Implement and Operate the ISMS by implementing and operating the policies, controls,
an
Stage 1 will essentially enable you to understand where your organization is compared to the
ijin
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 10
Implementing a
Management System
• Top management interest
Stage 1
• Understanding requirements, legal and guidance
• Baseline review, Gantt chart and resource
requirements
Where we • Approve and communicate implementation plan
are
Stage 2
• Implement and operate the plan
• Support project
Implement • Monitor project
and
operate
Stage 3
• Monitor, measure, analyze and evaluation
• Management review
.in
Manage • Continual improvement
and
improve
ac
cd
11
Copyright © 2022 BSI. All rights reserved.
c@
The first stage is to understand “where we are” in terms of what is the top management interest,
understanding the requirements of interested parties as well as legal and regulatory requirements.
jin
From this information we can undertake a base line review and produce a Gantt chart to identify what
hi
resources are required to implement an ISMS.
-s
Management will need to approve an implementation plan, which will need to be communicated to all
relevant parties.
an
Stage two is all about implementing and operating the plan, ensuring that the project is supported and
dr
monitored.
an
The final stage is all about determining whether the management system is effective and meets the
ch
needs of the business and interested parties, as well as identifying where the management system
can be improved. This is done through monitoring, measuring and reviewing the ISMS performance.
ijin
During this course we will be focusing our attentions on understanding the requirements from an
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 11
Top Management
Key: Normal Route
Potential Route
Management Representative or Team Overall Project Management
Process and Link to PDCA
Activities
Yes Identify organizational goals
Commitment to for the management system
implement? Understanding ISO/IEC 27001 requirements, legal,
and review available guidance
No
• Example ISO/IEC 27001 Implementation Process
END
Appoint a Management
representative or team
Activities
• PDCA cycle
Baseline review
Activity
Communicate interest to Identify project milestones
the business
Create Gantt
chart
Activities
Support project
Implement the plan Operate the system
Monitor project
DO
Activity
.in
Monitor, measure, analysis and evaluation
CHECK
Management No
Implementation complete?
review
ac
ACT
Yes
Activity This process is meant to be used only as an
example for descriptive purpose.
Prepare for Maintain and Your implementation process should be
certification continually Improve modifies and developed to your business as
cd
system appropriate, including consideration of scale,
style, culture and complexity. 12
Copyright © 2022 BSI. All rights reserved.
c@
The diagram depicts an example implementation process for an ISMS and how the activities required
to be undertaken can be distributed between top management and the individual/team responsible for jin
coordinating implementation.
hi
The overall project management process depicts normal and potential routes, if certification is
-s
We will be asking you, as a project manager implementing an ISMS, to cover elements of this process
during the course for your own organization.
dr
an
The tutor will explain the process, especially the top management “plan” section. Activities are also
shown with the first ones dealing with ISO/IEC 27001 requirements.
ch
ijin
(Please refer to References: Overall Project Management Process and link to PDCA)
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 12
Normal Route
< IMPLEMENTATION PROCESS > Key: Potential Route
Top Management Management Representative or Team
Activities
Yes Identify organizational
Commitment to goals for the Understanding ISO/IEC 27001 requirements,
implement? management system legal, and review available guidance
No
.in
Identify minimum Conduct baseline
documentation gap analysis
ac
requirements
Consider
cd
certification
c@
Activity
Communicate interest Identify project
to the business jin milestones
Create Gantt
hi
chart
-s
Approve and
communicate the Estimate costs and
PLAN
Activities
an
Support project
Implement the Operate the
ch
plan system
Monitor project
ijin
DO
sh
Activity
CHECK
Management Implementation No
review complete?
ACT
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 13
Activity 1:
ISO/IEC 27001 Requirements
.in
20
ac
cd
14
Copyright © 2022 BSI. All rights reserved.
c@
Activity 1: ISO/IEC 27001 Requirements
jin
Purpose:
hi
Review the clause requirements of ISO/IEC 27001 from an implementation perspective.
-s
Duration:
20 minutes
an
Directions:
Review and discuss the statements provided, and match the statements with the correct clause,
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 14
ISO/IEC 27001
Statement 1 Statement 2 Statement 3
Clause
(True) (True) (False)
Reference
4.1
4.2
.in
4.3
ac
cd
4.4
c@
5.1
jin
hi
-s
5.2
an
dr
5.3
an
ch
6.1
ijin
sh
6.2
6.3
7.1
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 15
ISO/IEC 27001
Statement 1 Statement 2 Statement 3
Clause
(True) (True) (False)
Reference
7.2
7.3
.in
7.4
ac
cd
7.5
c@
8.1
jin
hi
-s
8.2
an
dr
8.3
an
ch
9.1
ijin
sh
9.2
9.3
10.1
10.2
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 16
Requirements
.in
ac
cd
17
Copyright © 2022 BSI. All rights reserved.
c@
How do you know what the internal and external issues are that are relevant to the purpose of your
organization. Those issues may relate to legal, regulatory or contractual requirements that apply to
jin
your organization and operations. Legislation is changing all the time. How do you keep on top of the
hi
changes? What about other requirements? Perhaps the industry sector you operate in is regulated,
how do you keep abreast of changes to regulations?
-s
An organization needs to know what these requirements are if they want to comply with them. They
an
will have more chance of complying with them if they know what they are! An ISMS requires an
organization to have a framework for the identification and on-going evaluation of these requirements,
dr
so that it knows what is out there and how it applies to the organization.
an
requirements with an indication of how it applies to the organization and the operational controls in
place.
ijin
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 17
‘The What?’
A Process A Process
Owner – Process
Measure IS effectiveness
‘The How?’
A Procedure
.in
Owner – Procedure
Measure IS operation
ac
cd
18
Copyright © 2022 BSI. All rights reserved.
c@
The slide depicts a typical management system structure. We will cover the procedure/process
requirements of ISO/IEC 27001 later on. However, it is important to understand what a process and
jin
procedure is.
hi
Process: Set of interrelated or interacting activities which transforms inputs into outputs
-s
Within the information security policy an organization may state that it will ensure staff leave the
organization in a secure and controlled manner. To demonstrate this is happening and to ensure it
dr
complies with this requirement the organization will implement a leavers process.
an
The ‘leavers’ process is owned by HR, even though it requires action from other departments across
ch
the organization. The inputs into this process could be an employees resignation letter which is sent
to HR. When HR receive this, they inform the necessary parties, which forms some of the outputs:
ijin
• IT – to provide a list of assets provided to the user and for them to deactivate accounts on a set
date
sh
IT may then have a procedure on what they need to do when they receive a leaver notification from
HR, e.g. how to run a report of assets assigned to that user and deactivate their account and
privileges.
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 18
Process
Procedure
.in
ac
Policy: Statement of intent
cd
19
Copyright © 2022 BSI. All rights reserved.
c@
Organizations may decide that they do not want to differentiate between a process and procedure and
just use one term; that is entirely up to the organization as long as individuals know whether they
jin
should be creating a document detailing the inputs and outputs or a document providing the detail to a
hi
task.
-s
In some cases organizations combine policy, processes and procedures into a single document –
there is no right or wrong way, just what is appropriate for the organization. Ideally though, a policy is
an
a statement of intent and does not cover how the requirements are met.
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 19
Leadership
Improvement
ACT PLAN
Planning
4 Context of the
Organization 6 Planning
Performance
9 Performance Support
Evaluation
Evaluation
7 Support
CHECK
.in
Operation
DO
8 Operation
ac
cd
20
Copyright © 2022 BSI. All rights reserved.
c@
This slide shows the framework and its associated clauses.
jin
As you can see the clauses follow the PDCA approach and as we have said, PDCA can be an
hi
approach used for implementing the clauses. With this in mind the next activity asks you to consider
elements of the clauses and how they could be logically implemented according to PDCA.
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 20
Activity 2: Holistic
implementation process
.in
20
ac
cd
21
Copyright © 2022 BSI. All rights reserved.
c@
Activity 2: Holistic implementation process
jin
Purpose:
hi
Create a holistic process of the ISO/IEC 27001 implementation requirements by following the PDCA
cycle.
-s
Duration:
an
20 minutes
5 minutes classroom discussion/review model answers
dr
an
Directions:
The tutor will allocate a list of process elements:
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 21
.in
ac
cd
5
c@
6
jin
hi
-s
7
an
dr
8
an
ch
9
ijin
sh
10
11
12
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 22
Overall Project
Management Process
and Link to PDCA
Where we are now!
Activities
Baseline review
Identify
Conduct
minimum
baseline gap
documentation
analysis
requirements
.in
ac
cd
23
Copyright © 2022 BSI. All rights reserved.
c@
Referring back to the ‘Overall Project Management Process and link to PDCA’ diagram we discussed
earlier, if you were the project manager implementing this management system the next stage would
jin
be looking at the baseline review section; starting with documentation requirements.
hi
(Please refer to References: Overall Project Management Process and link to PDCA)
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 23
Documented Information
.in
ac
cd
24
Copyright © 2022 BSI. All rights reserved.
c@
When the Standard refers to documented information, it is talking about documents and records,
whether these are in physical or electronic format. jin
hi
The extent of documented information required by an organization will depend upon the nature, size
and complexity of the organization and competence of persons within the organization. The general
-s
rule of thumb is, if the absence of documentation is likely to give rise to a significant impact, then the
process, procedure or work instruction should be written down. However, the Standard does require
an
In addition, the Standard requires controls, suitable to the organization, to be implemented for the
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 24
Process
Support documentation
.in
ac
Records
cd
25
Copyright © 2022 BSI. All rights reserved.
c@
This slide shows ‘typical’ types of documented information within a management system.
jin
Policy – which is appropriate to the purpose of the organization, it should define the outline as to how
hi
information security is managed within the organization.
-s
Manual / Framework – no Manual is required by ISO/IEC 27001, but a framework will provide a map
from the top that will route newcomers and those unused to the ISMS to the precise system element
an
or procedure that they require. This could easily be just an intranet page for information security, but
should include elements such as scope, process identification etc.
dr
an
Support documentation – permits, work instructions, signs, notices etc. Work instructions build upon
ijin
Records – recording the evidence of the effectiveness of the system and to aid communication.
Clause 7.5.3 of ISO/IEC 27001 requires that document control be applied to documented information
required by the ISMS.
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 25
Activity 3:
Minimum documentation
requirements
Identify the minimum documentation
requirements of ISO/IEC 27001:
Create a list of the minimum
documentation requirements • Include any documented procedures,
records and other documents
• Identify what processes and procedures
are required
• Record your findings using the templates
supplied
20
.in
ac
cd
26
Copyright © 2022 BSI. All rights reserved.
c@
Activity 3: Minimum documentation requirements
jin
Purpose:
hi
Create a list of the minimum documentation requirements.
-s
Duration:
20 minutes
an
Directions:
Identify the minimum documentation requirements of ISO/IEC 27001:
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 26
ISO/IEC 27001
Documented Requirements
clause:
4.1
4.2
4.3
4.4
.in
5.1
ac
cd
5.2
c@
5.3 jin
hi
-s
6.1.1
an
6.1.2
dr
an
6.1.3
ch
6.2
ijin
sh
7.1
7.2
7.3
7.4
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 27
ISO/IEC 27001
Documented Requirements
clause:
7.5.1
7.5.2
7.5.3
8.1
.in
8.2
ac
cd
8.3
c@
9.1 jin
hi
-s
9.2
an
9.3
dr
an
10.1
ch
10.2
ijin
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 28
Considerations Evidence
.in
ac
cd
29
Copyright © 2022 BSI. All rights reserved.
c@
We now need to establish where we are now by conducting a baseline review. The review takes into
consideration activities, products, processes and services in relation to current and past performance,
jin
based on existing evidence.
hi
The aim of this review is to form a basis for establishing the ISMS. It is important to set the boundaries
-s
with regard to the application and implementation of an ISMS. For example, you might choose to
apply it to the entire organization across all sites or just an operating unit or one particular site. Once
an
the scope and boundaries have been defined, all the activities of the organization within that scope
will need to be included in the ISMS.
dr
an
Well, you could use a number of tools and methods to undertake this review including checklists,
conducting interviews, results from previous audits or other reviews, looking through historical records
ijin
of previous incidents and so on. However, we are going to look at another approach using
questionnaires.
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 29
• Question 1
Has the organization undertaken a review to determine
fully the external and internal issues that are relevant
Activity 4: Baseline gap
to establishing the context of the organization? (4.1) analysis
• Question 2
Has the organization undertaken a review to identify
interested parties and to understand their needs and
expectation? (4.2)
Find out how far your
• Question 3
organization’s information security
Has the organization determined the boundaries and
management aligned with
applicability of the information security management
ISO/IEC 27001 requirements
system? (4.3)
• Question 4
Has the organization established an information
.in
security management system? (4.4)
ac
25
cd
30
Copyright © 2022 BSI. All rights reserved.
c@
Activity 4: Baseline gap analysis
jin
Purpose:
hi
Conduct a baseline review of the organizations’ current position with regard to ISO/IEC 27001
-s
Duration:
25 minutes
an
Directions:
an
Please read the instructions below and then answer the 25 questions posed. Once completed add the
scores up and review the comments pertaining to your scores.
ch
This questionnaire can be used to establish a benchmark position for those organizations considering
implementing a standardized information security management system and can be used
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 30
Please complete this questionnaire to give a fair representation of your current level of compliance
with the Standard’s requirements. There are 25 questions and the figures in brackets refer to sections
of ISO/IEC 27001:2022. The answers you give should be representative of your organization’s status
as a whole, so it may be easier to restrict your first answers to a specific representative site for the
purpose of the current activity.
When you have finished answering all the questions, transfer your numerical scores to the final
summary sheet. Please keep the completed questionnaire for your own future reference and use.
Each question requires a self-scored answer in the form of a mark on a linear scale; the two extremes
of the scale are indicated by words or phrases. The scoring is indicated by circling or ticking one of
the five numbers as shown to indicate the status of your organization in relation to the two extremes.
Please ensure that you score with whole numbers only.
.in
ac
0 1 2 3 4
cd
c@
If you consider you have made no progress as regards a particular question, then a 0 should be
selected.
jin
hi
Please note, where questions refer to the maintenance of work procedures you should only consider
-s
your organization to merit a high score if you have had procedures long enough to alter them in the
light of experience. As this process is likely to have taken about a year even with a fully active
information security management system, few organizations rate such a high score.
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 31
Question 1
Has the organization undertaken a review to determine fully the external and internal issues that are
relevant to establishing the context of the organization? (4.1)
Previous partial review or new review Thorough review completed, formal report
started, but little progress. covering key areas including its role in
information security management. Identification
of processes, activities and functions that can
have an effect on information security
management.
0 1 2 3 4
.in
Question 2
ac
Has the organization undertaken a review to identify interested parties and to understand their needs
and expectation? (4.2)
cd
Previous partial review or new review Thorough review completed with a formal report
c@
started, but little progress. covering the key areas, including:
Determination of relevant interested parties,
their requirements and identification of legal and
jin
other requirements relating to information
hi
security management.
0 1 2 3 4
-s
an
Question 3
Has the organization determined the boundaries and applicability of the information security
dr
Little action taken to identify the scope Scope established including consideration of
ch
outcomes determined.
0 1 2 3 4
sh
Question 4
Has the organization established an information security management system? (4.4)
No discernible action taken in the System that meets the requirements of ISO/IEC
establishment of an information security 27001 is in place.
management system.
0 1 2 3 4
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 32
Question 5
Has top management demonstrated its commitment to establishing an information security
management system and effective leadership in the continual improvement of the system? (5.1)
0 1 2 3 4
.in
Question 6
Has the organization established an information security policy? (5.2)
ac
Draft available but not widely adopted Relevant, understood, maintained, consistent
cd
and some major issues not addressed. with organization policies and available to
interested parties.
c@
0 1 2 3 4
jin
hi
Question 7
-s
Has the organization assigned responsibilities and authorities in respect of the information security
management system? (5.3)
an
0 1 2 3 4
ijin
sh
Question 8
Does the organization follow a process that determines risks and opportunities? (6.1)
There is little evidence of planning for Effective planning is put in place that fully takes
the information security management into account the context of the organization and
system. its information security risks etc.
0 1 2 3 4
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 33
0 1 2 3 4
Question 10
Has the organization defined and applied an information security risk treatment process? (6.1.3)
No evidence of a risk treatment process Effective risk treatment plans in place that
.in
in place. determine all the controls necessary to
implement the information security risk
ac
treatment options chosen. This has been
approved by risk owners and acceptance of
cd
residual information security risks has been
obtained. A Statement of Applicability has been
c@
created.
0 1 2 jin 3 4
hi
Question 11
-s
0 1 2 3 4
an
ch
Question 12
Does the organization have plans in place to achieve information security objectives? (6.2)
ijin
Question 13
Does the organization carry out changes to the ISMS in a planned manner? (6.3)
Limited plans in evidence. Comprehensive change management plans
and process in place, suitably documented and
reviewed.
0 1 2 3 4
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 34
Question 14
Has the organization provided adequate resources (including human, technological and financial) for
establishment, implementation, maintenance and continual improvement of the information security
management system? (7.1)
Limited resources available to support Evidence of proper resourcing of the system to
the system. achieve information security objectives is in
place.
0 1 2 3 4
Question 15
Has the organization taken the necessary steps to determine the competence of persons, undertaking
work under its control, which can affect information security management system performance? (7.2)
.in
Limited evidence of identification of Comprehensive assessment in place supported
ac
competence and training to support by suitable documentation as evidence of
competence development. competence.
cd
0 1 2 3 4
c@
Question 16
jin
Has the organization promoted awareness of information security management; so that all those
hi
working under the organization’s control are aware of the requirements as they affect them? (7.3)
-s
Awareness of system requirements Regular actions taken to ensure that all those
an
Question 17
Has the organisation implemented and maintained sufficient and appropriate communication with
ijin
place.
0 1 2 3 4
Question 18
Has the organization established and is it maintaining documented information as required by the
standard and as determined as necessary by the organization? (7.5)
Outline documentation exists. Comprehensive and detailed documentation
available meeting the requirements of the
standard.
0 1 2 3 4
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 35
Question 20
Has the organization established a process to ensure information security risk assessments are
performed at planned intervals or in response to significant changes? (8.2)
Little evidence of an established An established process is in place to ensure
.in
process. risk assessments are carried out at appropriate
intervals and in response to significant
ac
changes.
cd
0 1 2 3 4
c@
Question 21
Has the organization implemented the risk treatment plan? (8.3)
jin
Little evidence of risk treatment plan The risk treatment plan has been fully
hi
implementation. implemented and documented information is
-s
0 1 2 3 4
dr
an
Question 22
Has the organization determined details, methods and frequency of areas of operation that need to be
ch
monitored, measured, analyzed and evaluated in order to establish the performance and effectiveness
of the information security management system? (9.1)
ijin
Question 23
Has the organization established, implemented and maintained an information security internal audit
programme and documented evidence of the results? (9.2)
Audit programme drafted. Comprehensive information security audit
programme in place that fully meets the
requirements of the standard.
0 1 2 3 4
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 36
Question 25
Does the organization continually improve its information security management system? (10.1)
Little attention paid to the improvement Opportunities to improve the suitability,
of the system adequacy and effectiveness of the information
security management system are identified
.in
through use of the information security policy,
objectives, audit results, management reviews
ac
and analysis of monitored events.
cd
0 1 2 3 4
c@
Question 26
jin
hi
Does the organization react effectively to any nonconformity identified within its information security
management system and maintain documented information where appropriate? (10.2)
-s
0 1 2 3 4
an
ch
Summary Sheet
ijin
Section Ref
4.1 1 Context
4.3 3 Scope
4.4
ISMS02001ENIN 4 2022 ISMS
v2.0 Oct Copyright © 2022 BSI. All rights reserved. 37
Section Ref
Leadership
5.2 6 Policy
.in
5.3 7 Organizational roles, responsibilities and authorities
ac
cd
6 Planning
c@
6.1.1 8 General jin
hi
6.1.2 9 Information security risk assessment
-s
7 Support
7.1 14 Resources
7.2 15 Competence
7.3 16 Awareness
7.4 17 Communication
Section Ref
8 Operation
.in
8.2 20 Information security risk assessment
ac
cd
8.3 21 Information security risk treatment
c@
jin
9 Performance evaluation
hi
-s
10 Improvement
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 39
Overall Project
Management Process
and Link to PDCA
Where we are now!
Create Gantt
chart
.in
secure resources
ac
cd
40
Copyright © 2022 BSI. All rights reserved.
c@
To recap where we are now, after conducting the gap analysis we now need to identify project
milestones and create a Gantt chart. jin
hi
(Please refer to References: Overall Project Management Process and link to PDCA)
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 40
Project Plan
.in
Management review X X X X
BSI registration X
ac
cd
41
Copyright © 2022 BSI. All rights reserved.
c@
Once the gaps have been identified we can then start planning using a Gantt chart (as an example).
jin
You will need to identify the elements required in any project management, i.e. critical paths and
tasks, linking tasks (leading or lagging), resources, milestones and reporting.
hi
-s
MS Project is one tool that can do this, but there are many others including just using an excel
spreadsheet.
an
The commitment of people is paramount in any project and ensuring this happens is the responsibility
dr
of the Project manager. He or she will need to mix the right team with the right skills and the ability to
an
be team players, however the realities of time, cost and quality come into play.
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 41
Project plan
Excellent
communicator
Authority to
make
decisions
.in
A good project manager’s instinctive method of
working will be founded on years of experience
ac
cd
42
Copyright © 2022 BSI. All rights reserved.
c@
The project manager must be an excellent communicator; project management is about influencing
others. Skills such as negotiating, persuading, advising and listening also come into play.
jin
hi
The project manager must be a good leader. A project relies on the commitment and loyalty of all
involved.
-s
It is important to note the balance between responsibility and authority in any project. The project
an
manager needs to have the responsibility and authority to see a project through to completion. If they
don’t have the authority to make decisions this will lead to project inertia.
dr
an
In a similar way, the members of the project team will need clear guidance on their own
responsibilities and the decisions they have the authority to make.
ch
A good project manager’s instinctive method of working will be founded on years of experience.
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 42
Chart
chart
(Activity 5)
(NEED TO DEFINE FOR EACH
ORGANIZATION: RESOURCES
ETC)
4.1 Determine purpose
1 Determine external and internal
Start to create a Task Sheet and Gantt issues
4.2 Determine interested parties
Chart using the baseline review to identify
Determine their requirements
main weaknesses 2
Determine legal and other
requirements
4.3 Determine boundaries/scope
Determine interfaces and
3
dependencies
Document scope
Establish and implement an
4 4.4
ISMS
.in
Maintain and continually improve
the ISMS
Top management:
5 5.1
Establish policy, objectives
ac
15
cd
43
Copyright © 2022 BSI. All rights reserved.
c@
Activity 5: Create a Gantt chart
jin
Purpose: Start to create a Task Sheet and Gantt Chart using the baseline review to identify main
hi
weaknesses
-s
Duration:
15 minutes
an
Directions:
an
Having identified the main strengths and weaknesses in your ISMS from the last activity, it is now time
to translate this into a task sheet. Review the activities in the task sheet provided and, for the areas of
ch
greatest weakness identified, start to identify specific activity durations for the resources you have at
your disposal (if any). This will help in creating a Gantt chart for your implementation.
ijin
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 43
Related
GANTT
Questions Clause Task Duration Start Finish
CHART
(Activity 5)
.in
Determine external and internal
issues
ac
cd
4.2 Determine interested parties
c@
2 Determine their requirements
jin
Determine legal and other
hi
requirements
-s
dependencies
an
Document scope
ch
the ISMS
Top management:
5 5.1
Establish policy, objectives
Top management
Ensure integration of ISMS
requirements into organization’s
processes
Top management:
Ensure resources available
Top management:
Communicate importance
Top management:
ISMS02001ENIN v2.0 Oct 2022 Copyright
Ensure ISMS © achieves
2022 BSI. All rights reserved.
intended 44
outcome
shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in
shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in
Related
GANTT
Questions Clause Task Duration Start Finish
CHART
(Activity 5)
Top management:
Directing and supporting persons
.in
Top management:
ac
5
Promoting continual improvement
cd
Top management:
c@
Support other relevant
management roles
Top management:
jin
5.2 Policy is appropriate to
hi
organization’s purpose
-s
Top management:
Policy provides information security
an
objectives or framework
dr
Top management:
Policy includes commitment to
an
Top management:
Policy is documented
Top management:
Policy is communicated within the
organisation
Top management:
Policy is available to interested
parties
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 45
Related
GANTT
Questions Clause Task Duration Start Finish
CHART
(Activity 5)
.in
communicated
ac
Top management:
Assign responsibility and authority
7
cd
for:
a) ensuring the ISMS conforms to
c@
the requirements of the standard
8
Plan how to address the risks and
dr
process including:
9 6.1.2
Establishing and maintaining risk
ijin
criteria
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 46
Related
GANTT
Questions Clause Task Duration Start Finish
CHART
(Activity 5)
.in
Select risk treatment options
ac
cd
10 6.1.3 Determine necessary controls
c@
Compare controls with Annex A jin
hi
Produce a Statement of Applicability
-s
an
objectives
11
Retain documented information on
the objectives
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 47
Related
GANTT
Questions Clause Task Duration Start Finish
CHART
(Activity 5)
.in
Ensure persons are then competent
ac
on basis of...
cd
Take action to acquire this
15
competence
c@
Evaluate the effectiveness of the
actions taken jin
hi
Retain appropriate documented
-s
evidence
16 7.3
control are aware
dr
internal/external communications
ch
17
Determine with whom to
communicate
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 48
Related
GANTT
Questions Clause Task Duration Start Finish
CHART
(Activity 5)
.in
Document information required for
ISMS effectiveness
ac
cd
Ensure appropriate identification and
7.5.2
description
c@
Ensure appropriate format and
media jin
hi
Ensure review and approval for
adequacy
-s
7.5.3
use
18
dr
legibility preservation
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 49
Related
GANTT
Questions Clause Task Duration Start Finish
CHART
(Activity 5)
.in
Implement plans
ac
cd
Keep documented information to
provide confidence
c@
19 Control planned change jin
hi
Review consequences of
unintended changes
-s
effects
dr
20 8.2
Retain documented information of
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 50
Related
GANTT
Questions Clause Task Duration Start Finish
CHART
(Activity 5)
.in
ac
Determine when it shall be
performed
cd
c@
22 Who shall monitor and measure
jin
When the results shall be analyzed
and evaluated
hi
-s
measurement results
an
and b)
sh
Related
GANTT
Questions Clause Task Duration Start Finish
CHART
(Activity 5)
.in
Include for consideration a) to f)
ac
24
cd
Outputs include decisions relating
to...
c@
Retain documented information as
evidence of review jin
hi
10.1 React to nonconformities
-s
them
dr
25
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 52
Related
GANTT
Questions Clause Task Duration Start Finish
CHART
(Activity 5)
.in
Make changes to the ISMS if
10.2
ac
necessary
27
cd
Retain documented information as
evidence of…f) and g)
c@
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 53
.in
ac
cd
54
54
Copyright © 2022 BSI. All rights reserved.
c@
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 54
Overall Project
Management Process and
Link to PDCA
Where we are now! Create Gantt
chart
Approve and
communicate the
implementation Estimate costs and secure
plan resources
Activities
.in
the
the plan
system
Monitor project
ac
cd
55
Copyright © 2022 BSI. All rights reserved.
c@
As you can see, once a task sheet/Gantt has been prepared and costs/resources estimated, top
management will need to approve and communicate the plan to the appropriate people. Not everyone
jin
will need to know everything, therefore it is important to determine who needs to know what and
hi
when.
-s
This leads us nicely into looking at the activities around implementing the plan and operating the
system. We will start by looking at the requirements around understanding the context of your
an
organization.
dr
(Please refer to References: Overall Project Management Process and link to PDCA)
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 55
Clause 4: Context of
the Organization (4.1)
Determine: External issues
relevant to its
purpose
Interfaces and
Internal issues
dependencies
relevant to its
between
purpose
activities
Organization
Activities
Interested
performed by the
parties relevant
.in
organization/oth
er organizations to the ISMS
ac
Requirements of
these interested
parties
cd
56
Copyright © 2022 BSI. All rights reserved.
c@
Clause 4 relates to the context of the organization which requires the organization to determine the
external and internal issues that affect its ISMS. What those issues are will be dependant on the type
jin
of organization it is.
hi
Organizations shall also demonstrate an appreciation and understanding of its purpose, aligned with
-s
the needs and expectations of its interested parties relevant to the ISMS.
an
Finally, organizations are required to identify interfaces and dependencies between the activities it
performs and the activities performed by other organizations that could have an impact on information
dr
security. Therefore, if it is reliant on a third party for certain activities, i.e. IT services, it is important
an
that the organization understands what contractually this third party has agreed to do and how this
third party may affect the organization’s information security measures.
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 56
your context
2) Internal issues relevant to question 1)?
organization
5) Interfaces and dependencies between activities performed by the organization?
.in
6) Interfaces and dependencies between activities performed by other organizations?
ac
15
cd
57
Copyright © 2022 BSI. All rights reserved.
c@
Activity 6: Understanding your context
jin
Purpose:
hi
Practice implementation of ISO/IEC 27001 key elements: Understanding of the organization and its
context.
-s
Duration:
an
15 minutes
5 minutes classroom discussion
dr
Directions:
ch
Review the template provided – start to complete areas 1-6 for your organization.
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 57
.in
ac
cd
2) External issues relevant to question 1)?
c@
jin
hi
-s
4) Processes, associated activities and functions that can impact Information Security?
an
dr
an
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 58
D E T E R M I N E P
L A
E R
V T N
A I E
I N T E R E S T E D
.in
T S D
ac
S
cd
59
Copyright © 2022 BSI. All rights reserved.
c@
As mentioned, there is a requirement to determine relevant interested parties and the needs of these
interested parties. Those needs and expectations may include legal and regulatory requirements and
jin
contractual obligations. These may be dependant on the type, size and industry sector the
hi
organization operates in.
-s
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 59
Your Organization
Activity 7: Interested parties
Citizens Management Competitors
• Top
Customers Media
Management
Distributors • Those Commentators
Map across interested parties and
accountable
for ISMS
determine requirements
Shareholders Trade groups
policy and
Investors implementati Neighbours
on
Owners Pressure groups
Those who
Insurers implement and Emergency Identify individuals and/or entities
maintain the ISMS services
Government who are affected by and affects your
• Those who
Regulators maintain
Other response
agencies
ISMS
ISMS and
Recovery service risk Transport services
suppliers procedures
Staff dependents
Other Staff
.in
Contractors
ac
15
cd
60
Copyright © 2022 BSI. All rights reserved.
c@
Activity 7: Interested parties
jin
Purpose:
hi
Map across interested parties and determine requirements.
-s
Duration:
15 minutes
an
Directions:
Please identify from the lists provided, and any others that you might wish to add:
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 60
Your Organization
.in
maintain the ISMS
Owners Pressure groups
ac
• Those who maintain
Insurers ISMS and risk Emergency services
cd
procedures
Government Other response agencies
c@
Regulators Other Staff jin Transport services
Contractors
Recovery service suppliers Staff dependents
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 61
.in
• Purchasing, manufacturing, storage and distribution
including completion of sales orders and despatch in
<HQ> and regional manufacturing sites only
ac
• IT and HR processes within branch 1 and branch 2
cd
62
Copyright © 2022 BSI. All rights reserved.
c@
All of the elements discussed in the previous slides will enable the organization to determine the
boundaries and applicability of the ISMS to establish its scope. jin
hi
See toolkit section:
9) *ISMS Scope Example
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 62
.in
ac
15
cd
63
Copyright © 2022 BSI. All rights reserved.
c@
Activity 8: Write a scope
jin
Purpose:
hi
Enable delegates to determine and write a scope for their own organization.
-s
Duration:
15 minutes
an
Directions:
After reviewing the sample scope provided in your Toolkit Section, please try a first attempt at drafting
ch
a scope for your ISMS. Write this on a flipchart so that all participants can feed back on.
ijin
The Standard refers to ‘determining the boundaries and applicability of the ISMS to establish its
scope’.
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 63
.in
Leadership and Commitment
ac
Top management set the culture of an organization
cd
64
Copyright © 2022 BSI. All rights reserved.
c@
Clause 5 looks at Leadership, an element around that is Clause 5.1 Leadership and commitment
which identifies top management requirements. jin
hi
Top management responsibility and commitment have been features of management system
standards for many years; however ISO/IEC 27001:2022 re-emphasises this in a more pronounced
-s
Top Management set the culture of an organization, employees are more likely to embrace
information security if they see Top Management:
dr
• Creating and maintaining an internal environment in which persons can become fully involved in
achieving the organization’s information security objectives
ijin
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 64
.in
5.3
assigned
ac
Communicating the importance
Subclause
of effective information security
5.1 d
management
cd
65
Copyright © 2022 BSI. All rights reserved.
c@
Top Management shall demonstrate its leadership and commitment through:
jin
• Establishing an information security policy (subclause 5.2)
hi
• Establishing information security objectives (subclause 6.2)
• Ensuring resources needed for the ISMS are available
-s
• Ensuring ISMS, roles, responsibilities and authorities are assigned (subclause 5.3)
• Communicating the importance of effective information security management (subclause 5.1 d)
an
Having information security management at board level will ensure that a comprehensive approach is
dr
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 65
.in
10
ac
cd
66
Copyright © 2022 BSI. All rights reserved.
c@
Activity 9: Leadership and commitment
jin
Purpose:
hi
Establish how top management can demonstrate leadership and commitment
-s
Duration:
10 minutes
an
Directions:
• Review ISO/IEC 27001 Clause 5.1 Leadership and commitment
ch
• Discuss from the perspective of your own organizations, how top management can demonstrate
leadership and commitment for the ISMS
ijin
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 66
Clause 5:
Leadership (5.2)
Clause 5.2.2
Communicating
.in
IS Policy
Clause 5.2.1
ac
Establishing IS
Policy
cd
67
Copyright © 2022 BSI. All rights reserved.
c@
Clause 5.2 looks as the requirements around an information security policy. Top management shall
establish an information security policy that: jin
• Is appropriate to the purposes of the organization
hi
• Includes information security objectives (Clause 6.2) or provides the framework for setting
information security objectives
-s
Ideally the policy should outline the organization’s information security purposes and should be no
dr
longer than 2 pages – anything longer and it is more than likely people will not read it.
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 67
Staff handbook
Notice boards
In house magazines
Via Intranet
.in
ac
cd
68
Copyright © 2022 BSI. All rights reserved.
c@
The policy is required to be available as documented information and be communicated to the
organization and available to interested parties (i.e. customers, suppliers, general public).
jin
hi
A policy will not be fully functioning unless it is communicated. How this is communicated will be
dependent on the organization and its structure and culture. Methods for internal communication
-s
could be:
• Staff handbook
an
• Notice boards
• In house magazine
dr
• Via Intranet
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 68
.in
15
ac
cd
69
Copyright © 2022 BSI. All rights reserved.
c@
Activity 10: Create a policy
jin
Purpose:
hi
To enable you the opportunity to create your own policy for your organization
-s
Duration:
15 minutes
an
Directions:
After reviewing the sample policy provided, please try a first attempt at drafting a policy for your
ch
intended ISMS..
ijin
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 69
.in
ac
cd
70
Copyright © 2022 BSI. All rights reserved.
c@
The final clause in Leadership is around organizational roles, responsibilities and authorities (Clause
5.3). jin
hi
Top management shall ensure that the responsibilities and authorities for roles relevant to information
security are assigned and communicated. It is important that anyone that has been assigned
-s
responsibility for an activity understand what they have authority to do, agree to etc. For example, the
information security manager may have responsibility for the day to day management of the ISMS but
an
they may not have authority to approve or agree changes to the ISMS. Just because someone has
responsibility does not automatically mean they have authority.
dr
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 70
.in
ac
cd
71
71
Copyright © 2022 BSI. All rights reserved.
c@
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 71
.in
ac
cd
72
72
Copyright © 2022 BSI. All rights reserved.
c@
Review of day 1 and remaining learning objectives.
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 72
.in
ac
cd
73
73
Copyright © 2022 BSI. All rights reserved.
c@
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 73
Clause 6: Planning
ISMS
Interested Internal External boundaries
parties and issues issues and
expectations applicability
Consideration to
Information
determine risk and Define risk security risk
opportunities in
assessment assessment
relation to the process process
ISMS
Undertake
risk
assessment
Define risk
Documented
treatment
Risk information of
process and
treatment prioritized IS
determine risk
plan risks
treatment options
.in
ac
Establish
information
security
objectives
cd
74
Copyright © 2022 BSI. All rights reserved.
c@
Clause 6 ensures the organization has the building blocks in place to determine that the ISMS can
achieve its intended outcome by preventing or reducing undesired effects and achieving continual
jin
improvement. The planning clause identifies the processes to enable an organization to do this.
hi
The diagram on this slide depicts the overall planning process, which includes determining risks and
-s
opportunities that need to be addressed, by undertaking risk assessment and risk treatment
processes, through to setting appropriate information security objectives and plans to achieve them.
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 74
ISMS
Interested parties Internal External
boundaries and
and expectations issues issues
applicability
.in
Consideration to Information
determine risk and Define risk security risk
ac
opportunities in assessment assessment
relation to the ISMS process process
cd
c@
jin
Undertake
risk
hi
assessment
-s
an
dr
an
Establish
information
security
objectives
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 75
.in
ac
cd
76
Copyright © 2022 BSI. All rights reserved.
c@
Clause 6.1 relates to Actions to address risks and opportunities. So what do we mean by
opportunities? Those of you that are familiar with other management systems may recall the term
jin
preventative action, i.e. an action to eliminate the cause of a potential non-conformity or other
hi
undesirable potential situation. Preventative action is no longer referenced within ISO/IEC 27001 but
now comes under risks and opportunities.
-s
When determining the risks and opportunities that need to be addressed, it is important for an
an
organization to consider its context, i.e. internal and external issues (Clause 4.1) and understanding
the needs and expectations of interested parties (Clause 4.2).
dr
an
The organization shall plan actions to address these risk and opportunities, as well as plan how to
integrate and implement these actions into the ISMS processes and evaluate the effectiveness of
ch
these actions.
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 76
Asset inventory
Identify information Identified information
security risks security risks
Causes and
sources of risk
Risk owners
Determined level of
Analyze the
risk based on
information
consequence and
security risks
likelihood
.in
Evaluate
Risks prioritized for
information
treatment
security risks
ac
Documented
information
cd
of risk
assessment 77
Copyright © 2022 BSI. All rights reserved.
process
c@
Organizations are required to plan how they will undertake risk assessments. An information security
risk assessment process should be defined that includes criteria for accepting risks, when risk
jin
assessments should be performed, as well as ensuring that repeated information security risk
hi
assessments produce consistent, valid and comparable results.
-s
So what do we mean by risk acceptance criteria? Criteria are used to help decide whether the risk is
low enough to not require treating. For example, an organization may decide that any risks that fall
an
below a certain score will be accepted without treatment, but will be monitored to ensure the risk
score doesn’t change.
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 77
Asset inventory
Identify information Identified information
.in
Causes and security risks security risks
ac
sources of risk
cd
c@
jin Risk owners
hi
-s
Documented
information of
risk
assessment
process
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 78
.in
A period not exceeding 3 years
ac
cd
79
Copyright © 2022 BSI. All rights reserved.
c@
So, when should a risk assessment be undertaken? Clause 8.2 states that risk assessments should
be performed at planned intervals or when significant changes are proposed or occur. Therefore an
jin
organization may decide to undertake a risk assessments when there are:
hi
• Significant changes to the business affecting information security (determined by management)
-s
security events)
• A period not exceeding 3 years
dr
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 79
.in
20
ac
cd
80
Copyright © 2022 BSI. All rights reserved.
c@
Activity 11: Risk criteria
jin
Purpose:
hi
To define risk criteria that ensures repeated information security risk assessments produce consistent,
valid and comparable results.
-s
Duration:
an
20 minutes
10 minutes classroom discussion
dr
Directions:
ch
After reviewing the sample information security risk assessment procedure provided in the toolkit,
please try a first attempt at defining risk acceptance criteria and criteria for performing information
ijin
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 80
Risk Identification
Asset Register
Causes
Sources
.in
ac
cd
81
Copyright © 2022 BSI. All rights reserved.
c@
The risk assessment process should identify risks associated with the loss of confidentiality, integrity
and availability (CIA) for information within the scope of the ISMS.
jin
hi
So how do you identify risks associated with the loss of CIA for information?
-s
A risk is derived from various elements. Firstly, you need to know what information is within scope of
the ISMS and where and how that information is processed from creation all the way to destruction.
an
Risk identification also involves consideration of the sources and causes of risk (sometimes referred
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 81
Risk
Identification
Each risk should be assigned an
owner, who will be responsible for
agreeing risk treatment and
residual risk
.in
ac
cd
82
Copyright © 2022 BSI. All rights reserved.
c@
Therefore your risks may look something like this:
• Risk of unauthorised access to HR information stored in the HR Office, due to lack of access
jin
control measures.
hi
• Risk of loss of customer information stored on the network drives, due to backup failure.
-s
All this is doing is identifying risks, whether this risk is likely to happen or the consequences that
would result from the risk happening is part of the analysis stage.
an
Each risk should be assigned an owner, who will be responsible for agreeing risk treatment and
dr
residual risk.
an
Please note this course only provides the foundations of how to undertake a risk assessment.
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 82
Consequence
Likelihood
Low Medium High
Medium
Likely Low risk High risk
risk
Medium
Unlikely Low risk Medium risk
risk
Highly
Low risk Low Risk Medium risk
unlikely
.in
ac
cd
83
Copyright © 2022 BSI. All rights reserved.
c@
Once you have identified your information security risks you can now analyze the potential
consequences if the risk materialized, referred to as the impact, and assess the likelihood (probability)
jin
of the occurrence of such a risk.
hi
A simple way to do this is to use a risk level estimator, for example:
-s
Impact:
an
• Low - Internal services affected, minor inconvenience to customer, financial cost <$100k
ch
When analysing the likelihood of a risk occurring you will need to take into consideration whether
similar incidents have occurred and if so, how often and whether the items you assessing are close to
ijin
Likelihood:
• Highly Unlikely - Can assume it will not occur
• Unlikely - Seldom, could occur at some time
• Likely - Has happened before, has potential to happen
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 83
Risk Assessment
Tools
Consequence
Likelihood Less
Significant
significant
Likely 3 6 9
Unlikely 2 4 6
Highly
1 2 3
unlikely
.in
ac
cd
84
Copyright © 2022 BSI. All rights reserved.
c@
Another approach to risk assessment is using numeric values rather than descriptions but it is
important for the person(s) undertaking the risk assessment to understand what a score means to the
jin
organization, so a combination of numbers and descriptions is often seen.
hi
There is no one good way, and you should understand the benefits of a common approach in your
-s
A very important point in the approach selected always needs to be consistent and robust.
dr
Once the risks have been analyzed the results should be compared with the risk criteria established
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 84
2
security risks
3
.in
9
20
ac
10
cd
85
Copyright © 2022 BSI. All rights reserved.
c@
Activity 12: Identify and analyze information security risks
jin
Purpose:
hi
Determine the risks and opportunities associated with the scope and interested parties within the
context of your organization.
-s
Duration:
an
20 minutes
10 minutes classroom discussion
dr
Directions:
ch
organization
• Analyze those risks, to assess the potential impact that would result, if the risk were to materialize
sh
• Analyze those risks, to assess the realistic likelihood of the occurrence of the risks identified, to
determine the levels of risk
• Evaluate the risk, resulting from risk analysis, with the risk criteria in the sample procedure, and
prioritize the analyze risks for treatment
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 85
Risk
NO. Risk Details Consequence Likelihood
Score
.in
ac
3
cd
c@
4
jin
hi
-s
5
an
dr
6
an
ch
7
ijin
sh
10
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 86
Please use the space provided to record your prioritized risks for treatment
.in
ac
cd
c@
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 87
Compare controls
with controls in
Annex A to verify that
Annex A
no necessary Justification Justification
controls have been for Inclusion for Exclusion
omitted (all controls) (Annex A)
Produce statement of
Statement of applicability
applicability
.in
Formulate risk
Risk treatment plan
treatment plan
ac
Obtain risk owners Document information of
Risk owners
approval risk treatment process
cd
88
Copyright © 2022 BSI. All rights reserved.
c@
Taking into account the results from the risk assessment, the organization shall define and apply a
risk treatment process to select appropriate risk treatment options and to determine all controls that
jin
are necessary to implement the risk treatment option chosen.
hi
So what does this mean?
-s
Risk Treatment
an
An organization, depending on its risk acceptance criteria, defined in Clause 6.1.2, can select one of a
number of options to treat a risk. We will cover these options in more detail on the next slide.
dr
an
Control
A control, which can be technical and/or organizational, if implemented, would reduce the likelihood of
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 88
.in
Designed controls
ac
cd
Compare controls with
c@
controls in Annex A to
Annex A verify that no jin
necessary controls Justification Justification
hi
have been omitted for Inclusion for Exclusion
(all controls) (Annex A)
-s
an
dr
Produce statement of
Statement of applicability
an
applicability
ch
ijin
sh
Formulate risk
Risk treatment plan
treatment plan
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 89
Clause 6.1.3:
Risk Treatment
Statement of Applicability
Actions
Target dates
.in
Review dates
ac
Responsibilities
cd
90
Copyright © 2022 BSI. All rights reserved.
c@
A Statement of Applicability (SoA) and a risk treatment plan (RTP) should be formulated and risk
owners approval shall be obtained for the risk treatment plan and acceptance of the residual risk. The
jin
risk treatment plan should ideally include actions to be taken, target dates for completion, review
hi
dates and responsibilities.
-s
Note: The Standard aligns the risk assessment and risk treatment processes with ISO 31000 Risk
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 90
Risk Treatment
Options
Reduce/Treat
Avoid/Terminate
Accept/Tolerate
Transfer/Share
.in
ac
cd
91
Copyright © 2022 BSI. All rights reserved.
c@
The common risk treatment options are:
• Reduce/Treat – to change the likelihood of the risk occurring and/or consequence, by implementing
jin
a control measures
hi
• Avoid/Terminate – to decide not to start or continue with the activity that gives rise to the risk
• Accept/Tolerate – to retain risk by an informed decision
-s
• Transfer/Share – sharing the risk with another party or parties through contracts and risk financing
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 91
ISO 27002:2022
93 controls and five
searchable and
selectable attributes
The controls an organization adopts
can be designed by the organization
or identified from any source
.in
Annex
ac
cd
92
Copyright © 2022 BSI. All rights reserved.
c@
The organization shall determine all controls that are necessary to implement the information security
risk treatment options chosen. jin
hi
A control* is: ‘measure that is modifying risk’
-s
The controls an organization adopts can be designed by the organization or identified from any
source, i.e. legal, regulatory required controls, client required or even product or service specific
dr
controls. Any controls chosen must be compared with the list of controls in Annex A – Reference
an
control objectives and controls of the Standard to verify that no necessary controls have been omitted.
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 92
ISO 27002:2022
93 controls and five
searchable and Clause 5 - Organizational controls
37 controls: 34 existing, 3 new
selectable attributes
Clause 6 - People controls
8 controls, all existing
.in
ac
cd
93
Copyright © 2022 BSI. All rights reserved.
c@
Annex A of the standard has 4 different security control categories, namely:
• A.5: Organizational controls jin
• A.6: People controls
hi
• A.7: Physical controls
• A.8: Technological controls
-s
The order in which these categories are presented is not significant and any other lists that exist
an
within the standard are not presented in any kind of priority order.
dr
Organizations should determine which categories and associated controls are important for them to
an
implement based on the benefit obtained by doing so. If using this standard as an aide for
implementing controls associated with an ISMS based on ISO/IEC 27001, then the management
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 93
ISO 27002:2022
93 controls and
five searchable Control
attributes
Attribute values
Information
#Prevenative, #Detective, #Corrective
attributes security
property
#Confidentiality, #Intergrity, #Availability
Cybersecurity
#Identify, #Protect, #Detect, #Respond, #Recover
concepts
#Governance, #Asset_management,
#Information_protection, #Human_resource_security,
#Physical_security, #System_and_network_security,
#Application_security, #Secure_configuration,
Operational #Identity_and_access_management,
capabilities #Threat_and_vulnerability_management, #Continuity,
#Supplier_relationships_security,
#Legal_and_compliance,
#Information_security_event_management,
.in
#Information_security_assurance
Security #Governance_and_Ecosystem, #Protection,
domains #Defence, #Resilience
ac
cd
94
Copyright © 2022 BSI. All rights reserved.
c@
The categorization of the controls given in each clause is referred to as a theme. Within each theme,
an organization can apply given attributes to allow them to manage their controls and present to
jin
different audiences in different ways.
hi
For each control, ISO/IEC 27002 provides extensive ‘implementation guidance’, and for certain
-s
controls, ‘other information’ which provides broader advice and considerations around that specific
control.
an
There are a total of 93 controls spread over the four clauses. Of those 93 controls, 58 were in the
dr
previous edition of ISO 27002 but have been updated to reflect technology changes and different
an
approaches.
ch
24 controls have been merged to streamline the control set and link controls that are linked together
inextricably.
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 94
ISO 27002:2022
93 controls and five
searchable and
selectable attributes
Control
Attribute values
attributes
Information
security #Confidentiality, #Intergrity, #Availability
property
Cybersecurity
#Identify, #Protect, #Detect, #Respond, #Recover
concepts
#Governance, #Asset_management,
#Information_protection, #Human_resource_security,
#Physical_security, #System_and_network_security,
#Application_security, #Secure_configuration,
.in
Operational #Identity_and_access_management,
capabilities #Threat_and_vulnerability_management, #Continuity,
#Supplier_relationships_security,
#Legal_and_compliance,
ac
#Information_security_event_management,
#Information_security_assurance
Security #Governance_and_Ecosystem, #Protection,
cd
domains #Defence, #Resilience 95
Copyright © 2022 BSI. All rights reserved.
c@
Each of the 93 controls can be tagged with five attribute types, as seen here. This allows the
organization to manage, filter, sort, and present controls in different ways, as is needed by an
jin
organization. This can be done using a database or web-based application.
hi
Control type:
-s
Control type is designed to allow an organization to consider the control from the perspective of risk
dr
Corrective – The control acts after the information security incident occurs.
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 95
.in
viewed in relation to the cybersecurity concepts
93 controls and five
ac
searchable and selectable Security domains are an attribute to view controls
from the perspective of information security
cd
96
Copyright © 2022 BSI. All rights reserved.
c@
Information security properties relate to whether the control is preserving confidentiality, integrity,
and/or availability. jin
hi
Cybersecurity concepts allows controls to be viewed in relation to the cybersecurity concepts defined
in the cybersecurity framework, as described in ISO/IEC TS 27110 and the NIST cybersecurity
-s
framework.
an
The operational capabilities attribute allows controls to be viewed from the practitioner’s perspective
of information security capabilities and is similar to the previous version of ISO/IEC 27002 clauses.
dr
an
Security domains are an attribute to view controls from the perspective of information security
domains, expertise, services, and products.
ch
One of the ISO 27000 family’s strengths is in its flexibility and its ability to be applied to any
ijin
organization regardless of size, sector, or location. The five attributes we have discussed are
considered generic enough to meet this brief. However, it is also understandable that these attributes
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 96
ISO 27002:2022
93 controls and five
searchable and
selectable attributes
Organizations can develop their own attributes
.in
controls included as well as those
controls within Annex A that have
ac
been excluded
cd
97
Copyright © 2022 BSI. All rights reserved.
c@
An organization can, therefore, choose to disregard one or all of these attributes. They may also wish
to add attributes of their own. This may be based on control maturity, a risk event scenario, or top
jin
management priority.
hi
It may well be that this may be used by industry bodies or trade associations to prioritize controls for a
-s
specific sector.
an
A statement of applicability (SoA) shall then be developed identifying all controls that have been
selected, along with a justification for any controls included as well as those controls within Annex A
dr
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 97
Useful Guidance on
Risk
Risk analysis and management are key facets
of any management system
Some useful standards are:
.in
ac
cd
98
Copyright © 2022 BSI. All rights reserved.
c@
For interested delegates, BSI has Risk Management 31000 courses on Understanding and on
Implementation: jin
hi
Understanding Risk Management - ISO 31000, RMG01001ENGX
As a proven methodology, risk management is a systematic framework and process for maximizing
-s
those areas where outcomes can be controlled while minimizing those that cannot be predicted, and
over which control cannot be exercised.
an
There are other standards that may be of use, depending on level of interest or need:
ISO/IEC Guide 73 – Risk management vocabulary – Guidelines for use in standards
ch
BS 31100:2021 Risk management – Code of practice and guidance for the implementation of BS ISO
31000
ijin
IEC 31010
sh
Provides details on risk assessment concepts, process, and selection/comparison of risk assessment
tools/techniques
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 98
Risk
3
Preparing risk treatment plan as per
Clause 6.1.3 and Clause 8.3
4
8
20
.in
9
ac
10
cd
99
Copyright © 2022 BSI. All rights reserved.
c@
Activity 13: Risk treatment
jin
Purpose:
hi
To enable delegates to identify appropriate risk treatment options and to determine all controls that
are necessary to implement the risk treatment option chosen. Delegates will be required to consider
-s
designing controls, controls from other sources as well as those controls with Annex A.
an
Duration:
20 minutes
dr
Directions:
Use the prioritized risks from the previous activity (Activity 12) to:
ijin
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 99
Risk Treatment
NO. Controls Selected Source?
Options
.in
ac
3
cd
c@
4
jin
hi
-s
5
an
dr
6
an
ch
7
ijin
sh
10
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 100
.in
ac
cd
c@
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 101
Establishing information
security objectives
What are the internal and external
issues?
.in
requirements?
ac
Are the objectives consistent with the IS
policy?
cd
102
Copyright © 2022 BSI. All rights reserved.
c@
The organization needs to establish information security objectives at relevant function and levels.
Objectives should include plans on how to achieve them as well as how the results will be evaluated.
jin
hi
Objectives are required to be documented and must identify:
• What will be done
-s
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 102
Establishing
information
security objectives
Objectives:
Specific
Communicated
Updated
.in
ac
cd
103
Copyright © 2022 BSI. All rights reserved.
c@
Objectives should be specific and targets should be measurable wherever practical and where
appropriate should take into account applicable information security requirements, and risk
jin
assessment and risk treatment results.
hi
For example:
• Objective: Conduct a service continuity exercise with each customer
-s
• Responsible: IT Director
• When: Annually
dr
• Monitoring: Internal auditor will be present to assess exercise objectives against actual exercise
an
performance; results will be reviewed by the Information Security Manager and presented at the
Management Review meetings.
ch
retained.
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 103
Activity 14:
Establishing information security objectives
Create information security and planning to achieve them
objectives
After reviewing the sample objective provided,
please try drafting 2 objectives for your
intended ISMS
15
.in
ac
cd
104
Copyright © 2022 BSI. All rights reserved.
c@
Activity 14: Create information security objectives
jin
Purpose:
hi
Enable delegates to create information security objectives and an action plan
-s
Duration:
15 minutes
an
Directions:
After reviewing the sample objective provided, please try drafting 2 objectives for your intended ISMS.
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 104
Leadership
.in
Information security controls
ac
cd
105
Copyright © 2022 BSI. All rights reserved.
c@
Change management is a vital part of a robust ISMS as the evolution of information security
management and also the changes happening within an organization’s context can be rapid on
jin
today’s world. In this clause, expectation is to plan the change management before its implementation
hi
to ensure the purpose is clear, negative and positive consequences are considered and integrity of
ISMS is preserved. ‘Do’ part of the planned changes are implemented as per the requirements in
-s
Note: Clause 6.3 was added to the ISO/IEC 27001:2022 version of the standard.
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 105
.in
ac
cd
106
106
Copyright © 2022 BSI. All rights reserved.
c@
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 106
Clause 7: Support
Resources (7.1)
People
Systems
.in
Financial
ac
cd
107
Copyright © 2022 BSI. All rights reserved.
c@
Clause 7 details the support required to establish, implement, maintain and continually improve the
ISMS, including ensuring there are adequate resources not just at implementation time, but to ensure
jin
continued improvement of the ISMS. Resources can include people, systems and financial resources.
hi
Any individual that has been allocated a role that could affect the information security performance
-s
needs to be assessed to ensure they posses the appropriate competence to undertake such a role.
As we mentioned earlier, a project manager needs to be a good leader but there will be other
an
competencies a project manager should have. Being competent is often seen as demonstrating or
having the appropriate behaviours and skills.
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 107
Clause 7: Support
Competence (7.2)
Training
Mentoring
Re-assignment
.in
ac
Hiring
cd
108
Copyright © 2022 BSI. All rights reserved.
c@
The organization will need to determine the competency required for roles and then assess the
individuals allocated to those roles to ensure they possess the required competency. What
jin
competencies a role requires will need to be decided by the organization and can be demonstrated
hi
through education, training or experience. Where an individual is found not to meet the competency
level required the organization will need to devise an action plan to address the gap and then
-s
evaluate the effectiveness of those actions. Those actions may include training, mentoring, re-
assignment of current employees or the hiring or contracting of competent persons.
an
competence.
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 108
.in
15
ac
cd
109
Copyright © 2022 BSI. All rights reserved.
c@
Activity 15: Competency of individuals
jin
Purpose:
hi
Enable delegates to identify core competency requirements for person(s) doing work under their
control that affects information security performance.
-s
Duration:
an
15 minutes
5 minutes classroom discussion/review model answers
dr
Directions:
ch
Using the space provided on the next slide, identify 5 core competency requirements for the 3 roles
listed below.
ijin
• Internal Auditor
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 109
.in
ac
cd
Information Security Manager
c@
jin
hi
-s
an
dr
an
ch
Internal Auditor
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 110
Clause 7: Support
Awareness (7.3)
.in
ac
Communications (7.4)
cd
111
Copyright © 2022 BSI. All rights reserved.
c@
It is a requirement of the Standard that any persons doing work under the organization’s control shall
be aware of: jin
• ISMS policy
hi
• Their contribution to the effectiveness of the ISMS, including roles and responsibilities
• Implications of not conforming with the ISMS requirements
-s
Awareness can take many forms from class room style, e-learning, news letters, signs, notice boards,
an
emails. However awareness is not a one-off exercise and will probably use many of the methods
mentioned above.
dr
an
When awareness takes place, and how, really leads on from Communication (Clause 7.4) and how an
organization is going to communicate to both internal and external parties relevant to the ISMS. It’s
ch
important that people are kept informed of those aspects of the ISMS that affects them. If you inform
everybody of everything, people will start to ignore communications because they will think it doesn’t
ijin
apply to them. Therefore decisions will need to be made on what needs to be communicated, when it
should be communicated, how it will be communicated, to whom, as well as who will be responsible
sh
for those communications and what form of medium that communication will take.
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 111
Clause 7: Support
.in
Be adequately protected
ac
Be in the appropriate format for the
organization, and media
cd
112
Copyright © 2022 BSI. All rights reserved.
c@
The people responsible for the communication must be aware they are responsible and must have
the appropriate competency to undertake the tasks allocated to them.
jin
hi
The final clause (in Clause 7) is around documented information. As covered briefly earlier, the
Standard references elements that have to be available as documented information, i.e. information
-s
Documented information needs to be controlled, so what does that mean? Well documented
dr
information should:
an
• Have an appropriate identification and description, (e.g. title, data, author, reference number)
• Be reviewed and approved for suitability and adequacy, where appropriate
ch
• Be in the appropriate format for the organization, (e.g. language, software, version, graphics) and
media (e.g. paper, electronic)
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 112
Clause 7: Support
Classification
.in
Distribution, access retrieval and use Control of changes
ac
Storage and the preservation Retention and disposal
cd
113
Copyright © 2022 BSI. All rights reserved.
c@
Therefore organizations should address the following, as applicable:
• Classification jin
• Distribution, access retrieval and use
hi
• Storage and the preservation
• Control of changes
-s
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 113
.in
at drafting a simple one of these for your
intended ISMS
ac
cd
114
Copyright © 2022 BSI. All rights reserved.
c@
Activity 16: Create communication process
jin
Purpose:
hi
Enable delegates to create a simple communications process for their own organization
-s
Duration:
15 minutes
an
Directions:
After reviewing the sample communications procedure provided, please try a first attempt at drafting a
ch
simple one of these for your intended ISMS. Activity 7, 8, 9, 11 and 15 should assist you here.
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 114
Clause 8: Operation
.in
Information security risk treatment (8.3)
ac
cd
115
Copyright © 2022 BSI. All rights reserved.
c@
Clause 8 is closely linked to Clause 6 Planning. The processes determined in Clause 6 will be put into
operation in Clause 8, i.e. the Standard requires that organizations plan, implement and control those
jin
processes needed to address risks and opportunities.
hi
Most importantly this will include:
-s
• Keeping documented information to demonstrate that the processes have been carried out as
planned
dr
The tutor will specifically elaborate on the last two bullet points above.
ijin
We are not going to cover this clause in any detail as we covered most of it during Clause 6 Planning.
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 115
.in
ac
cd
116
116
Copyright © 2022 BSI. All rights reserved.
c@
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 116
Clause 9: Performance
Evaluation
9.1 Monitoring, measurement, analysis and evaluation
Determine the
methods for
monitoring,
measuring,
.in
analysis and
evaluation
ac
cd
117
Copyright © 2022 BSI. All rights reserved.
c@
Clause 9.1 is about the organization’s evaluation of its information security performance and the
effectiveness of the ISMS. jin
hi
The organization needs to determine what needs to be monitored and measured, this should include
information security processes and controls. The methods chosen by an organization for undertaking
-s
the monitoring, measuring, analysis and evaluation, must produce comparable and reproducible
results to be considered valid.
an
In addition, the organization should determine when the monitoring and measuring shall be
dr
performed, who shall monitor and measure, when the results will be analyzed and evaluated and by
an
whom. Your organization may require processes for legal and regulatory monitoring.
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 117
Clause 9: Performance
Evaluation
Example:
The organization has a requirement to ensure that all new starters
attend awareness training within 3 days of starting
.in
within the 3 days of starting and will report any conformance/non-
conformance to Management via the quarterly management report
ac
cd
118
Copyright © 2022 BSI. All rights reserved.
c@
An example of a security control that could be measured is:
The organization has a requirement to ensure that all new starters attend awareness training within 3
jin
days of starting. Therefore, when someone has attended training, their training record is updated by
hi
the training team. Every quarter the Training Administrator, who is responsible for the monitoring and
measuring, runs a report of people that have attended awareness training, this report will also show
-s
the date the person started with the organization. Every quarter, the HR Manager will analyze these
results to evaluate whether new starters are attending awareness training within the 3 days of starting
an
and will report any conformance/non-conformance to Management via the quarterly management
report.
dr
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 118
.in
10
ac
cd
119
Copyright © 2022 BSI. All rights reserved.
c@
Activity 17: Monitoring and measurement
jin
(Part 1)
hi
Purpose:
Review and identify monitoring/measurement activities within ISO/IEC 27001.
-s
Duration:
an
10 minutes
5 minutes classroom discussion
dr
Directions:
ch
Using your copy of ISO/IEC 27001, identify what would need monitoring, measuring, analyzing and
evaluating within the Standard.
ijin
sh
(Part 2)
Purpose:
Review and identify monitoring/measurement activities for specific requirements/criteria or controls.
Duration:
10 minutes
5 minutes classroom discussion
Directions:
Considering one item, identified from the last activity/or a specific control you have in mind,
determine:
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 119
.in
2) What methods would you use for monitoring, measuring, analysis and evaluation?
ac
cd
c@
jin
hi
-s
4) When the results from the monitoring and measurement will be analyzed and evaluated?
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 120
.in
Internal Audit (9.2) Management Review (9.3)
ac
cd
121
Copyright © 2022 BSI. All rights reserved.
c@
As with other management system standards, internal audits and management review continue to be
key methods of reviewing the performance of the ISMS and tools for its continual improvement.
jin
hi
Clause 9.2.1 General: Internal audits shall be conducted at planned intervals to provide information
on whether the ISMS conforms to the requirements of the Standard and to the requirements of the
-s
organization. Therefore an audit programme should be established which takes into consideration the
importance of the processes concerned and shall ensure that all areas of the ISMS are audited.
an
However, it is likely that key or high risk areas will be audited more frequently. The audit programme
can include a mixture of process, function and control audits, e.g.:
dr
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 121
Clause 9: Performance
Evaluation
Management Review (9.3)
.in
Identify opportunities for continual improvement
which could include feedback from interested
ac
parties and results from risk assessments
cd
122
Copyright © 2022 BSI. All rights reserved.
c@
Clause 9.2.2 Audit programme: The audit programme shall include the frequency of audits, the
methods used for auditing as well as the planning and reporting requirements.
jin
hi
The final clause in this section is Management Review (9.3).
In order to ensure an effective management system, ISO/IEC 27001 identifies the need for a periodic
-s
corrective actions, audit results, monitoring and measurement results, reviewing the status of
information security objectives
dr
• Identify opportunities for continual improvement which could include feedback from interested
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 122
General 9.3.1
Management Review (9.3) Management review inputs (9.3.2)
Management review outputs (9.3.3)
.in
• Policy
ac
• Training Needs
• ISMS Performance
cd
123
Copyright © 2022 BSI. All rights reserved.
c@
It is important for management to review the ISMS to determine whether it’s still effective. In simple
terms, management review can be seen as a gap analysis between what the business has said will
jin
happen (policy, objectives, processes etc.) and what is actually happening. Management reviews
hi
shall be undertaken at planned intervals. If your organization already has management meetings
taking place then Information Security could be added as an agenda item, rather than scheduling a
-s
Organization’s may prefer to hold regular operational meetings to review and discuss elements of the
ISMS with key personnel representing all areas of the business, within scope. This may enable the
dr
organization to undertake a management review less often. During the ISMS implementation stages
an
more regular meetings may be required as there are a significant amount of decisions to be made and
actions to be agreed but once the ISMS is established these meetings could become less frequent.
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 123
.in
saying you won’t have any breaches,
but it’s about managing and
minimizing the risks and impacts in a
ac
structured effective way
cd
124
Copyright © 2022 BSI. All rights reserved.
c@
Conducting a Management Review will ensure that you know which issues are important to the
business. Without knowing this, you could be wasting time, effort and money on addressing the lower
jin
risk activities than focusing on the high impact, high risk activities.
hi
So not having an ISMS can make managing your IS performance less effective. This could lead to
more breaches and more fines! And less effective use of resources. It is important to note that
-s
implementing an ISMS is not about saying you won’t have any breaches, but it is about managing and
minimizing the risks and impacts in a structured effective way.
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 124
.in
Nonconformity and corrective action (10.2)
ac
cd
125
Copyright © 2022 BSI. All rights reserved.
c@
When a nonconformity, i.e. a non fulfilment of a requirement occurs the organization needs to have
processes in place to detect them and respond to them. Organization’s should look to implement an
jin
event and/or incident reporting process to ensure that nonconformities are reported to the correct
hi
people in a timely manner so appropriate actions can be taken.
Nonconformities of the ISMS have to be dealt with, and together with corrective actions, prevent a re-
-s
occurrence.
an
When investigating nonconformities the organization should continue to ask why something has
happened to determine the root cause of the problem rather than just treating the symptom.
ch
Once the organization is aware of the root cause it will then be able to determine if similar
ijin
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 125
Corrective action
Evidence
.in
ac
cd
126
Copyright © 2022 BSI. All rights reserved.
c@
Once it is known why something has happened, the organization can identify what the corrective
action should be. It is always possible that there will be multiple corrective actions required to treat a
jin
single nonconformity. Corrective actions should be reviewed to ensure they have been effective.
hi
Documented information should be retained as evidence of the nonconformity and corrective actions.
-s
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 126
.in
Continual improvement (10.1)
ac
“Recurring activity to enhance performance”
ISO/IEC 27000
cd
127
Copyright © 2022 BSI. All rights reserved.
c@
The final requirement of the Standard is Continual improvement. As with all management system
standards, continual improvement is a core requirement of the Standard.
jin
hi
The continual improvement process can be broken down into a series of identifiable actions:
-s
• Implement solutions
• Measure effectiveness of actions taken
dr
• Document changes and make sure those who need to know do know
ch
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 127
Grasp the knowledge on the benefits of 2) Once you have done this, select two or three and draw
improving information security some pictures on a flipchart; as if you were explaining
performance to your colleagues back at work, how these work, and
how they could be implemented within existing systems
of the organization
.in
10
ac
128
Copyright © 2022 BSI. All rights reserved.
cd
Activity 18: Continual improvement process
c@
Purpose:
To enable delegates to answer questions like: ‘How is this system going to improve our information
jin
security performance and therefore its benefit to us?’
hi
-s
Duration:
10 minutes
5 minutes classroom discussion/review model answers
an
Directions:
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 128
1) Please try and identify a range of continual improvement processes that need implementing within
ISO/IEC 27001; which should have an impact on information security performance. Write them in
the space below.
.in
ac
cd
2) Once you have done this, select two or three and draw some pictures on a flipchart; as if you were
c@
explaining to your colleagues back at work, how these work, and how they could be implemented
within existing systems of the organization. jin
hi
-s
an
dr
an
ch
ijin
3) Finally, try and answer the above question from your responses – the tutor will ask a selected pair
sh
to explain.
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 129
Planning Improvement
Performance
Support
evaluation Right
managerial
decisions to
.in
Operation
achieve policy
Customers and and
ac
stakeholders Quality records OUTPUT expectations
cd
130
Copyright © 2022 BSI. All rights reserved.
c@
This is a diagram from PAS 99:2012 and shows the new high level structure for all new/revised
management systems. jin
hi
Therefore it is now possible to integrate many elements of your ISMS into other management systems
i.e. 45001, 9001, 22301, etc.
-s
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 130
Strategy for
Implementation
.in
ac
cd
131
Copyright © 2022 BSI. All rights reserved.
c@
Please be aware though ‘Even elements which are considered common can have subtle differences
within the content of the individual standard’. jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 131
.in
ac
cd
132
132
Copyright © 2022 BSI. All rights reserved.
c@
jin
hi
-s
an
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 132
No
Consider
certification
Activity
Communicate interest to Identify project milestones
the business
Create Gantt
chart
PLAN
Activities
Support project
Implement the plan Operate the system
Monitor project
DO
Activity
CHECK
.in
Management No
Implementation complete?
review
ACT
ac
Yes
Activity This process is meant to be used only as an
example for descriptive purpose.
Prepare for Maintain and Your implementation process should be
certification continually Improve modifies and developed to your business as
system appropriate, including consideration of scale,
cd
style, culture and complexity.
133
Copyright © 2022 BSI. All rights reserved.
c@
During this course you have worked through a typical framework for implementing ISO/IEC 27001
following the PDCA cycle, and have conducted a baseline review of your organization’s current
jin
position with regards to ISO/IEC 27001.
hi
You have identified project milestones and created a Gantt chart/task sheet. You have looked at the
-s
(Please refer to References: Overall Project Management Process and link to PDCA)
dr
an
ch
ijin
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 133
.in
ac
cd
134
Copyright © 2022 BSI. All rights reserved.
c@
The learning objectives identified at the beginning of the course were to:
•
jin
Explain key elements of a management system implementation process
• Identify a typical framework for implementing ISO/IEC 27001 following the PDCA cycle
hi
• Conduct a base line review of the organizations current position with regard to ISO/IEC 27001
-s
• Interpret the requirements of ISO/IEC 27001 from an implementation perspective in the context of
their organization
an
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 134
Summary
The Standard’s requirements start with understanding the organization and its context, which includes
internal and external issues and the information security requirements of interested parties. Top
management commitment and leadership is key and management must ensure that appropriate
resources are available, as well as directing and supporting individuals to contribute to the
effectiveness of the ISMS.
Processes should be in place to address risk and opportunities. Processes need to define criteria for
performing information security risk assessments as well as selecting appropriate information security
risk treatment options and establishing information security objectives at relevant functions and levels.
Controls should be determined to implement the necessary risk treatment options chosen, including
comparing controls within Annex A to ensure no necessary controls have been overlooked.
.in
ac
Resources needed for the establishment, implementation, maintenance and continual improvement of
the ISMS should be determined. Any person doing work under the organization’s control that affects
cd
its information security performance should be competent and made aware of the information security
policy through appropriate communications. The ISMS shall include documented information required
c@
by the Standard, as well as documented information determined necessary by the organization, all of
which shall be controlled. jin
The organization shall perform information security risk assessments and implement risk treatment
hi
plans in accordance with the criteria identified during the planning stage.
-s
The performance of information security and the effectiveness of the ISMS shall be evaluated through
an
appropriate monitoring, measurement, analysis and evaluation methods. Internal audits shall be
conducted at planned intervals to ensure the ISMS conforms to the organization’s and the Standard’s
dr
requirements. Top management shall review the ISMS at planned intervals to ensure its continuing
suitability, adequacy and effectiveness.
an
ch
Organizations shall continually improve the suitability, adequacy and effectiveness of the ISMS.
sh
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 135
.in
ac
cd
136
136
Copyright © 2022 BSI. All rights reserved.
c@
Address: BSI
jin
Telephone:
hi
Fax:
Email: <general training email>@bsigroup.com
-s
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 136