Professional Documents
Culture Documents
Information Security Management Awareness
Information Security Management Awareness
Understanding & Management & Risks & Operational Measurement, Non conformity &
Resources
organisation commitment opportunities planning analysis, evaluation corrective action
Expectations of Market
Quality Internal
interested ISMS objectives Competence requirements, Improvement
policy audits
parties/stakeholders customer interaction
Information Security
Communication
Management System
Documented
information
Features of ISO 27001: 2013
The Standards covers 114 Controls & 14 Domains
Control Domain Name
No.
5 Information Security Policies
6 Organization of Information Security
7 Human Resource Security
8 Asset Management
9 Access Control
10 Cryptography
11 Physical Environmental Security
12 Operations Security
13 Communications Security
14 System Acquisition , Development and Maintenance
15 Supplier relationships
16 Information Security Incident Management
17 Information Security aspects of Business Continuity Management
18 Compliance
ISMS
ISMS
ISMS
ISMS
ISMS
Risk Management
• Risk & Opportunity Identification
• Risk Estimation
– Assign to a Risk Owner
– Risk Value = C,I,A, Vulnerability, Threat, Probability & Impact
– Document Implemented Controls
– Review if additional controls are required
– Set Target Date
– Review Risks frequently
– Residual Risk Value = C,I,A, R. Vulnerability, Threat, R. Probability & Impact
– Review risks frequently to identify new risks as well as to review the
identified risks
ISMS
ISMS
ISMS
End of Session 1
Q&A
ISMS
ISMS
• Information Security Scope Statement
• ISMS Policy Statement
• Policies covering other ISMS Requirements
• Statement of Applicability
• System Manual
• Information Classifications
– Public, Internal, Confidential & Most Confidential
• Procedures
– Purpose, Scope, Entry & Exit Criteria, Inputs, Procedure, Verification,
Measurements, Records, References, ISO Clause reference & Abbreviations
• Guidelines
• Formats and Records
ISMS – HR Process
• Recruitment
– Background Check
– NDA, Employment Agreements and Other relevant
Documents
– ID Card Issues and Return
• Relieving
– Removing authorizations & permissions
– Exit Interview
• Disciplinary Action
• Legal Compliance
ISMS – Training Process
• Identify Training Needs
– Mandatory and Optional
• Training Calendar
• Identify Trainers
• Training Material Preparation
• Conducting Training
– Attendance
– Feedback
• Monitor Training Effectiveness
ISMS – Admin & Purchase
• Physical Security
• Third Party Access
• Work Environment Maintenance
• CCTV Monitoring
• Fire Safety & Fire Drill
• Equipment Maintenance
• Purchase & Outwards
ISMS – IT Infrastructure Process
• IT Asset Installation
• Network Administration and Maintenance
• IT Asset Allocation and Maintenance
– Preventive and Breakdown Maintenance
• Back up and Restoration
• Vulnerability Analysis and Penetration Test
• Reuse and Disposal of Information Assets
• IT Verification Checks
ISMS – System and Application Access
Control Process
• Account Creation
• User registration and De-registration
• Modification of Access Rights
• Review of Access Rights
• Asset Management
ISMS – Capacity Management Process
• Change Identification
– Software / Hardware
– Infrastructure
– Organisation Structure
• Analyse the Change
• Implementation
• Monitoring
ISMS – Incident Management Process
Q&A