ISO 27001.

TO BE, OR NOT TO BE…

Agenda
 nformation ecurity anagement
ystem

preserving the availability, confidentiality and integrity

of the physical and information assets
of the organization.

a systematic approach for managing and protecting a company’s information. The ISMS
represent a set of policies, procedures, and various other controls that set the
information security rules in an organization.
 Benefits
Reduce the chances of
security breaches within
IT environment
Control of IT
risks Confidentiality
of information

Minimization of IT risks,
Lower costs possible damage and
consequential costs

Systematic Competitive edge

detection of due to recognized
vulnerabilities standard

Fulfillment of Increase in trust with

internationally respect to partners,
recognized requirements customers and the public
A structured method to
address compliance
requirements
The PDCA Cycle
• Understanding the
The PDCA Cycle
organization
• Scope
• Information security policy
• Risk Assessment
• Understanding the
The PDCA Cycle •
•
Organizational structure
Implementation of policies
organization and procedures
• Scope • Document management
• Information security policy • Training and awareness
• Risk Assessment • Incident management
• Understanding the
The PDCA Cycle •
•
Organizational structure
Document management
organization • Training and awareness
• Scope • Implementation of policies
• Information security policy and procedures
• Risk Assessment • Incident management

• Monitoring and review

• Measurement, analysis
and specification
• Internal Audit
• Management review
 • Understanding the
The PDCA Cycle •
•
Organizational structure
Document management
organization • Training and awareness
• Scope • Implementation of policies
• Information security policy and procedures
• Risk Assessment • Incident management

• Monitoring and review

• Measurement, analysis
and specification
• Treatment of non- • Internal Audit
conformances • Management review
• Continual improvement
 ISO Requirements

• Mandatory requirements for implementation

of ISMS

• Annex A – Reference control objectives

and controls
ISO Requirements:

 Requirements
 Understand the context of organization and expectations of interested
parties regarding ISMS
 Define the scope for ISMS
 Management shall demonstrate commitment with respect to ISMS

 Challenges
 Decide the scope which shall be chosen for ISMS
 Involve management and provide evidences of management
commitment
 ISO Requirements:

 Requirements
 Document information required by standard requirements (e.g. Scope,
Security policy, etc.)
 Review and control documented information

 Challenges
 Keep up to date ISMS documentation
 Ensure that documents were communicated to appropriate people
 Provide evidence of approvals
 Document Management

High Level Organizational Rules Policy

Specifies method of support for Standard

policy

Step by Step How-to Instructions Procedure

Best practice, recommendations

Guideline
 ISO Requirements:

 Requirements
 Identify and evaluate risks
 Provide risk mitigation

 Challenges
 Chose risk management method and tool for effective risk register
 Involve subject meter experts for risk identification and evaluation
 Obtain Information Owners approval for risk treatment or acceptance
Risk Management
Risk Management
 ISO Requirements:

 Requirements
 Measurements
 Internal audit
 Regular management reviews

 Challenges
 Create and maintain comprehensive metrics to measure objectives
 Chose Internal Audit Team and set requirements
 Obtain feedback from management
 ISO Requirements:

 Requirements
 Detect non-conformities
 Provide corrections and improvements

 Challenges
 Non-conformances shall be analyzed for root causes
 Provide not only corrective actions, but also preventive
Annex A Controls

• Statement of Applicability

• Criteria for inclusion, exclusion:

• Business requirements
• Client requirements
• Risk Assessment results
Implementation milestones