first practice - information security management system implementation and iso 27001 certification

First Practice - Information Security Management System Implementation and

ISO 27001 Certification

Scope• NBG Services

• Evaluation criteria

• Services and Business processes

• Evaluation results

• ISO/IEC 27001:2013 Certification

• Legal requirements

Scope• International Payment and Reserve Management

Service

• Georgian Payment and Security Settlement Service

• Human resources, Public Relations, Chancellery, Logistics, Legal, Accounting, Internal Audit)

• All Types of Information Assets

Approach

Goals• Ensure compliance

Confidentiality, Availability And Integrity needs.• Establish controls for protection.• Motivate employees• Ensure in continuity.• Ensure the protection of personal data (privacy).• Ensure the availability and reliability of

Infrastructure.• Comply with - ISO/IEC 27001:2013.• Ensure in external service providers compliance.• Ensure flexibility and an acceptable level of

InfoSec security

Acceptable Level

Initiation Project• Competent Consultancy service

• Accreditation requirements

• Tender documentation

• Service requirements

• Project Management Practice

Policy• Context of the National Bank of Georgia • Scope (Procedure) • policy (Policy) • Objectives (Procedure) • Roles and Responsibilities (Procedure) • Risk management (Procedure) • Documented information (Procedure)• Internal audit (Procedure) • ISMS Policy Manual • Employee Guidelines National Bank of Georgia

Policy Cont.• Business Continuity Plan• BCP Procedure (Procedure) • Business continuity (policy) • Risk treatment plan • Statement of Applicability (SoA) • Plan to archive Information security objectives• Contracting rules and templates• Contract template with new employee (Contract

template)• Internal audit plan• Information classification rule (Procedure) • Awareness program and training presentation

Records, Reports• Business impact analysis (Record)• BCP Testing and Maintenance Cycles (Record) • BCP Testing Report (Report) • Assets register (Report) • Risk identification and assessment (Report) • Risk treatment report (Report) • ISMS objectives status report (Report) • Evidence of competence (Record) • Monitoring and measurement (Record) • Internal audit program (Record) • Internal Audit report (Report) • List of corrective actions with results of effectively analysis (Record)• ISMS Management review (Record)• ISMS Contacts with authorities and special groups (Record)• List of suppliers related to ISMS (Record) • Regulation about acceptance of residual risks (Report)

Decision Making• Maximum 1 Working day

• Information security management committee and working group

• Change management committee

• Business continuity management committee and working group

• 2 months for 1 Service.

Acceptable Level

Audit Result• No critical nonconformities

• No nonconformities

• Several recommendations

• 8 domains are on fifth level of CMM

• 6 domains are on fourth level of CMM

• ISO/IEC 27001:2013 cerficate

Thank You