Information

Security Management
System
(ISMS)

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Objectives
a) Understand and appreciate the importance of information
security
b) Overview of ISO 27001 Clauses
c) Overview of ISO 27001 Controls
d) Risk management process
e) How can you support information security in the organization?

2
 Contents
PART 1 - ISMS Concepts and Benefits
a) Information and Information Security
b) Threats and Vulnerabilities
c) Information Security Management System
(ISMS)
d) Benefits of ISMS
PART 2 - ISMS Standards
a) PDCA Model applied to ISMS processes
b) ISO 27001 Framework
c) ISO 27001 Clauses
d) ISO 27001 Controls
PART 3 - Risk assessment and Risk management
a) What is Security Risk ?
b) Risk assessment process
c) Risk management process
 ISMS Concepts & Benefits

Information and Information Security

Threats and Vulnerabilities
Information Security Management System (ISMS)
Benefits of ISMS
 What is Information
Asset : Anything that has value to the organization
Information is an asset that, like other important business assts,
is essential to an organization’s business and consequently needs to
be suitably protected. (ISO/IEC 17799)

Information can exist in many forms

• Data stored on computers
• Transmitted across network
• Printed out
• Written on a paper sent by fax
• Stored on disks
• Held on microfilm
• Spoken in conversations over the telephone
Whatever form the information takes, or means by which it is shared or
stored, it should always be appropriately protected throughout its life cycle

© All Rights Reserved. Cybermate Infotek Limited - 2017

Some Common Threats and Vulnerabilities to Information
Assets

High User knowledge

of IT sys Theft ,Sabotage, Version Control
Misuse ,Hacking Problems

System/Network
Unrestricted Access Lack of
Failure
Documentation

Virus Natural Calamities Fire

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Threats & Vulnerabilities

Threat : A potential cause of an unwanted incident, which may

result in harm to a system or organization

Some more examples of Threats:

Fire, Theft, Floods, Strikes, Power failure, Explosion, Terrorist
attacks, Lightning, Third party personnel, Physical intrusion,
Virus, Misuse of resources, Media deterioration, External hacking
etc.,

Vulnerability: A weakness of an asset or group of assets that can be

exploited by one or more threats

© All Rights Reserved. Cybermate Infotek Limited - 2017

 What is Needed ?

Security Measures/
Management Concerns Controls
• Market reputation Technical
• Business continuity
Procedural
• Disaster recovery
• Business loss Physical
• Loss of confidential data Logical
• Loss of customerconfidence Personnel
• Legal liability
Management
• Cost of security

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Information Security……….

• Protects information from a

range of threats

• Ensures business continuity

• Minimizes financial returns

on investments and business
opportunities

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Objectives of Information Security

Preservation of

Confidentiality :
Ensuring that information is available to only those authorized to
have access.

Integrity :
Safeguarding the accuracy and completeness of information &
processing methods.
Availability :
Ensuring that information and vital services are available to
authorized users when required.

© All Rights Reserved. Cybermate Infotek Limited - 2017

 But the problem is…

To determine how much is too much, so that we can

implement appropriate security measures to build adequate
confidence and trust “

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Need for ISMS

• Information security that can be achieved through technical

means is limited
• Security also depends on person, politics, policies, processes and
procedures
• Resources are not unlimited
• It is not a once off exercise , but an ongoing activity

All these can be addressed effectively and efficiently only by

establishing a proper Information Security Management System
(ISMS)

© All Rights Reserved. Cybermate Infotek Limited - 2017

Information Security Management System (ISMS)

ISMS is that part of overall management system based on a

business risk approach to
Establish
Implement
Operate
Monitor
Review
Maintain &
Improve
Information Security
ISMS is a management assurance mechanism for security of information
asset concerning its
• availability
• integrity and
• confidentiality

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Process for developing an ISMS

Threats & Assets

Vulnerabilities identification
Assessment & valuation

© All Rights Reserved. Cybermate Infotek Limited - 2017

 ISMS Standards
PDCA Model applied to ISMS processes
• ISO 27001 Framework
• ISO 27001 Clauses
• ISO 27001 Controls

© All Rights Reserved. Cybermate Infotek Limited - 2017

 PDCA Cycle

© All Rights Reserved. Cybermate Infotek Limited - 2017

 PDCA Model applied to ISMS Processes

PLAN
(Establish the ISMS )

Interested
Parties DO Development, ACT Interested
(Implement maintenance and (Maintain Parties
and and
Improvement improve
operate
the ISMS) cycle the ISMS)
Information
Security Managed
Requirements CHECK Information
& (Monitor and review
the ISMS)
Security
Expectations

© All Rights Reserved. Cybermate Infotek Limited - 2017

 ISO 27001 Structure
1. Scope
2. Normative References
3. Terms & Definitions
4. Information Security Management System
1. 4.1 General
2. 4.2 Establish and manage ISMS
3. 4.3 Documentation
4. 4.4 Control of Records
5. Management Responsibility
1. 5.1 Management Commitment
2. 5.2 Resource Management
6. Internal ISMS Audits
7. Management Review of the ISMS
8. ISMS Improvement
8.1 Continual Improvement
8.2 Corrective Actions
8.3 Preventive Actions
© All Rights Reserved. Cybermate Infotek Limited - 2017
 Information Security Management Systems

1. General
2. Establishing and managing the ISMS
Establish
Implement and Operate
Monitor & Review
Maintain
3. Documentation requirements
Control of documents
Control of records

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Management Responsibility

1. Management commitment
 ISMS Policy , objectives and plans
 Roles and Responsibilities
 Communication on security objectives, legal and regulatory
requirements and continual improvement
 Adequate resources
 Criteria for accepting risks and the acceptable levels of risk
 Internal ISMS audits
 Management reviews
2. Resource management
 Provision of resources for
 Training, awareness and competence

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Internal ISMS Audits

• Conduct Internal ISMS audits at planned intervals

• Documented procedure for Internal ISMS audit

• Maintaining records

Why conduct Internal Audits ?

Who conducts Internal Audits ?

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Management Review of ISMS

1. General
Top management shall review ISMS at planned intervals ( at least
once a year )

2. Review input

3. Review output

© All Rights Reserved. Cybermate Infotek Limited - 2017

 ISMS Improvement

1.Continual improvement

2.Corrective action

3.Preventive action

What is the difference between

Corrective Action and
Preventive action ?

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Structure of Annexure - A

A.5 Security Policy

A.6 Organization of Information Security
A.7 Asset Management
A.10 A.12 Information
A.8 Human A.9 Physical &
Communications Systems
Resources environmental
& operations Acqusition
Security security
management development &
A.11 Access Control maintenance
A.13 Information Security Incident Management
A.14 Business Continuty Management
A.15 Compliance

© All Rights Reserved. Cybermate Infotek Limited - 2017

ISO 27001 : Control Objectives and Controls

Specifies Satisfies
Requirements Objectives

11 Domains

© All Rights Reserved. Cybermate Infotek Limited - 2017

ISO /IEC 27001 : Control Objectives and Controls

“ Not all the controls described will be relevant to every

situation, nor can they take account of local
environmental or technological constraints, or be present
in a form that suits every potential user in an
organization “

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A. 5 Security Policy

A.5.1 Information Security Policy

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A.6 Organization of Information Security

A.6.1 Internal Organization

A.6.2 External Parties

Third Party
Agreement

Example of External parties ?

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A.7 Asset Management

A.7.1 Responsibility for assets

Asset Types:
a. Information - Databases and data files, contracts and
agreements, system documentation, user manuals, training
materials etc.,
b. Software assets - Application software, system software,
development tools and utilities
c. Physical assets - computer equipment, communications
equipment, removable media etc.,
d. Services – Communication services, general utilities ex:
lighting, power, AC Top Secret
e. People Secret
Confidential
Restricted
A.7.2 Information Classification Public

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A.8 Human Resources Security

A.8.1 Prior to employment

A.8.2 During Employment

A.8.3 Termination or change of employment

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A.9 Physical and environmental security

A.9.1 Secure Areas

A.9.2 Equipment Security

© All Rights Reserved. Cybermate Infotek Limited - 2017

A.10 Communication and operations management- 1

A.10.1 Operational Procedures and Responsibilities

A.10.2 Third Party Services delivery management

A.10.3 System Planning and Acceptance

Too much load !

© All Rights Reserved. Cybermate Infotek Limited - 2017

A.10 Communication and operations management - 2

A.10.4 Protection against malicious and mobile code

A.10.5 Back-up

A.10.6 Network Security Management

A.10.7 Media Handling

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A10 Communication and operation mgmt - 3

A.10.8 Exchange of Information

A.10.9 Electronic commerce services

A.10.10 Monitoring

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A.11 Access Control - 1

A.11.1 Business Requirement for Access Control

A.11.2 User Access Management

A.11.3 User Responsibilities

A.11.4 Network Access Control

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A.11 Access Control - 2

A.11.5 Operational System Access Control

A.11.6 Application and Information Access Control

A.11.7 Mobile Computing and Teleworking

© All Rights Reserved. Cybermate Infotek Limited - 2017

A.12 Information systems acquisitions, development and
maintenance

A.12.1 Security Requirements of Information Systems

A.12.2 Correct processing in applications

A.12.3 Cryptographic controls

A.12.4 Security of system files

A.12.5 Security in dev. And support processes

A.12.6 Technical vulnerability management

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A.13 Information security incident management

A.13.1 Reporting information security events and weakness

A.13.2 Management of information security incidents &

improvements

What is an Information Security Event ?

What is an Information Security Incident ?

Examples ?

Incident Management Process ?

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A.14 Business Continuity Management

A.14.1 Information Security aspects of BCM

Difference between incident and disaster ?

Difference between Business continuity & Disaster recovery ?

What are the steps involved in developing an effective Business Continuity Plan ?

© All Rights Reserved. Cybermate Infotek Limited - 2017

 A.15 Compliance

A.15.1 Compliance with Legal Requirements

What are the possible applicable Legal / Statutory requirements ?

A.15.2 Compliance with security policies and

standards and technical Compliance
A.15.3 Information systems audit considerations

© All Rights Reserved. Cybermate Infotek Limited - 2017

Risk Assessment and Risk Management

• What is Security Risk ?

• Risk assessment process
• Risk management process

© All Rights Reserved. Cybermate Infotek Limited - 2017

 What is Risk

A security risk is the potential that a given threat will exploit

vulnerabilities to cause loss/damage to asset and hence
directly/indirectly to the organization.

It is a function of the impact of the undesirable event and the

likelihood of the event occurring.

© All Rights Reserved. Cybermate Infotek Limited - 2017

 What is Risk Assessment

• Assessment of threats to, impacts on and vulnerabilities of assts

and the likelihood of their occurrence
• It produces an estimate of the risk to an asset at a given point in
time. It answers the following questions
 What can go wrong
 How bad could it be
 How likely is it to occur
 How to manage the risk
• The outcome of the risk assessment process is list of risks,
ranked according to some scale and associated to the assets they
relate to

© All Rights Reserved. Cybermate Infotek Limited - 2017

Risk Assessments Components & Relationships

exploit

Protect
increase increase expose
against

reduce

Met by indicate have

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Related Terms

• Risk analysis : Systematic use of information to identify sources and

to estimate the risk
• Risk evaluation : Process of comparing the estimated risk against
given risk criteria to determine the significance of risk
• Risk assessment : Overall process of risk analysis and risk
evaluation
• Risk Management : Coordinated activities to direct & control an
organization to with regard to risk
• Risk treatment : Process of selection and implementation of
measures to modify risk
• Residual risk : The remaining after risk treatment
• Risk acceptance : Decision to accept the risk

© All Rights Reserved. Cybermate Infotek Limited - 2017

Risk Assessment Process

Asset identification Vulnerability

and valuation Assessment

Identification of existing
Threat Assessment and planned security
controls

Risk assessment

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Risk Management Process

Avoiding the risk

Risk Use security

Reducing the risk
Assessment Controls
Output

Transferring the risk

Accepting the risk

Risk Treatment options

© All Rights Reserved. Cybermate Infotek Limited - 2017

 RA Methodology - Example

Asset Value (1 to 5 scale) Probabil

Asset Asset Existing ity (1 to Impact (1 to
Name Code C I A Threat Vulnerability controls 3) 3) Risk Value Controls

11
Laptops XXX 5 3 4 Theft Unattended None 3 3 (=5+3+3)

• Let us say, Acceptable level of Risk = 7

• Risk Value = Bigger number of Asset value (of C,I,A) + Probability + Impact

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Selection of Control Objectives & Controls -1

• Review the risks and identify options for the risk treatment
• The selection of controls should be made to bring down the risk to
acceptable level
• The selection of controls should be cost effective
• These shall include as appropriate
Controls from ISO 27001
Legal requirements
Business requirements
Any other relevant controls

© All Rights Reserved. Cybermate Infotek Limited - 2017

 Selection of Control Objectives & Controls -2

• Formulation of risk treatment plan

• Documenting Statement of Applicability (SoA) : documenting

describing the controls objectives and controls that are relevant and
applicable to organization’s, based on the results and conclusions of risk
assessment and risk treatment process

• The Statement of Applicability will also record the exclusion, with

justification, of any controls listed in ISMS Standard (ISO 27001)
© All Rights Reserved. Cybermate Infotek Limited - 2017
Examples of Threats

Examples of Vulnerabilities

What is Confidentiality, Integrity, Availability

Advantages of Information Security

What is ISO 27001 and ISO 17799

Frequency of Internal Audits

© All Rights Reserved. Cybermate Infotek Limited - 2017

Frequency of Management Reviews

What is correction, corrective action and preventive action

What is Risk treatment and residual risk

What is Statement of Applicability (SoA)

Documentation required for ISO 27001

Exclusions allowed in ISO 27001

How can you support information security in the

organization?
© All Rights Reserved. Cybermate Infotek Limited - 2017
 THANK YOU
© All Rights Reserved. Cybermate Infotek Limited - 2017