TUV INDIA PVT. LTD.
Delegate Notes
Information Security Management System
ISO 27001:2013
AWARENESS TRAINING
ISMS AWARENESS TRAINING
Session 2
History
WELCOME
• Safety - Be aware of emergency exits
• Restroom and Telephones - Nearest locations
• Contact Number - For urgent messages
• Personal Property - Keep possessions secure
• Mobile Phones - Please avoid interruptions
• Recording Devices - Not allowed in class
• Lunch and Breaks - Please return on time
• Smoking - Not permitted in the classroom
• Special Needs - Please inform the instructor
STUDENT INTRODUCTIONS
• Delegate’s name
• Company and product/service
• Job position / role
• Level of awareness of ISO 27001 Standard
• Level of involvement in organization’s ISMS
• What are your expectations from this course?
COURSE OBJECTIVES
To understand basic concepts of ISMS
To understand basic requirements of ISO 27001:2013 &
its interpretation
EXPECTATIONS
All are having reasonably good awareness of various
functions/processes of an organization
Participation during discussions
Participation in individual / syndicate group exercises
Course is generic & not tailor made for a particular type
of industry
COURSE CONTENTS
Introduction to ISO 27001,
Development & History
Family of ISO 27000 series of standards,
Basic requirements of ISO 27001:2013 & its
interpretation,
Risk assessment
SOA
Overview of implementation & certification
Exercise
Course summary,
End of course.
ISMS AWARENESS TRAINING
Session 2
History
UNDERSTAND THE BASICS
Generic
Generic means that the same standard can be applied to any organization,
Management System
Management system refers to what the organization does to manage its
processes, or activities to achieve objectives.
Management System Standards
Management system standards provide a model to follow in setting up and
operating a management system
ISO 27001 History …
1995
1998
BS 7799 Part 1 - Initiative from Department of Trade and Industry
BS 7799 Part 2
Swedish standard SS 62 77 99 Part 1 & 21999New issue of BS 7799 Part 1 & 2
December 2000 ISO/IEC 17799:2000
2001 New BS 7799-2 (drafted)
Sep 2002 New BS 7799-2
Passed and accepted
2005“Change BS to ISO / IEC Std”
New issue of ISO 27001:2005
New issue of ISO 27002:2005
2013New issue of ISO 27001:2013
New issue of ISO 27002:2013
Session 3
Information Security Management System
ISO 27001:2005 OVERVIEW
What is information security?
“Information security protects
information from a wide range of threats
in order to ensure business continuity,
minimize business damage and maximize
return on investments and business
opportunities”
Terms and Definitions
ISMS addresses the
fundamental ethics of
security in terms of CIA
Availability
(A)
Integrity
(I)
Confidentiality
(C)
Ensures that authorized users haveaccess to information and associatedassets when required
Safeguards the accuracy andcompleteness of informationand processing methods
Ensures that information isaccessible only to those authorizedto have access
Introduction to ISO 27001
ISO/IEC 27001:2013, Information Technology –
Security Techniques – Information Security
Management Systems - Requirements
ISO/IEC 27002:2013, Information Technology –
Security Techniques – Code of practice for
Information Security Controls
Introduction to ISO 27001
International Standard provides a model for
establishing, implementing, maintaining, and
continually improving Information Security
Management System.
Derived from various other standards i.e. ISO
22301:2012, etc.
ISO 27001 Requirements
Mandatory Requirements:
ISO/IEC 27001 Section4.0(Context of the Organization)
ISO/IEC 27001 Section 5.0 (Leadership)
ISO/IEC 27001 Section 6.0 (Planning)
ISO/IEC 27001 Section 7.0 (Support)
ISO/IEC 27001 Section 8.0 (Operation)
ISO/IEC 27001 Section 9.0 (Performance Evaluation)
ISO/IEC 27001 Section 10.0 (Improvement)
ISO 27001 Requirements
Reference Control Objectives & Controls (Annex A)A.5 Information Security Policies
A.6 Organization of Information Security
A.7 Human Resource Security
A.8 Asset Management
A.9 Access Control
A.10 Cryptography
A.11 Physical and Environmental Security
A.12 Operations Security
A.13 Communications security
A.14 System acquisition, development & maintenance
A.15 Supplier Relationships
A.16 Information security incident management
A.17 Information security aspects of BCM
A.18 Compliance
P – D – C – A Of Standard ISO 27001:2013
Rev. 04, Dec 2013
Plan
Establish the
ISMS
Do
Implement
and operate the
ISMS
Check
Monitor and
review the
ISMS
Act
Maintain and
improve the
ISMS
ISO/IEC 27001 Framework
0.2 P-D-C-A MODEL
Inputs – interested parties requirements for ISMS
Out puts – Necessary actions, process, procedures to
manage ISMS and meeting the requirements
Plan – clauses 4, 5,6,7
Do – clause- 8
Check – Clause -9
Act - clause -10
Plan
Sec. 4, Context of Org.
Sec.5. Leadership
Sec.6, Plan - Risk Mgmt
Sec .7 Resources
Do
Sec. 7 Operation planning and
Controls
Check
Sec. 9 Performance Evaluation
Monitoring : Internal Audit
Review : Management Review
Sec. 10. Improvement
Non conformity – CA
Continual
Improvement
ISO/IEC 27001:2013 Framework
INFORMATION SECURITY
Information &
Inf. Security
Character
Preserve
Integrity
Achieve
Implement
Form
Film
Security
Requirement
Main Source
Availability
Confidentiality Electronically
Paper
Voice
Risk Assessment
Objective of Org.Legal & Contractual
Policies
Procedures
Software fun.
Practices
Org. Structure
ISO 27001 Concepts
•Must specify Security Goals
•Controls based on Risk Analysis
•Choice on controls “A.5 to A.18”
•Continuous Verification Process
•Continuous Improvement Process
ISO 27001 Requirements
•Section 4 – 10 – Mandatory
•Annex A – Control objectives and controls
Note:
The organization can identify exclusions from
Annex A which in term should be justified in SOA
ISO/IEC 27001 Mandatory sections
•Section 1 - Scope
•Section 2 – Normative References
•Section 3 – Terms and definitions
•Section 4 – Context of the Organization
•Section 5 – Leadership
•Section 6 - Planning
•Section 7 – Support
•Section 8 – Operation
•Section 9 – Performance evaluation
•Section 10- Improvement
•Annex A – Reference Control objectives & controls
ISO/IEC 27001 Scope
Establish, Implement, Maintain and continually
improve a documented ISMS within context of
Organization’s overall risk.
Implement adequate and proportionate
security controls to protect Information Assets.
ISO 27001 Std Section 1.0
ISO/IEC 27001 Application
ISO 27001 Std Section 1.0
ISMS requirements are generic to all
organization and may be excluded if cannot be
applied due to scope / nature of business.
Any exclusions from Clause / Section 4.0, 5.0,
6.0, 7.0, 8.0, 9.0, 10.0 are not acceptable when an
organization claims conformity to this
International Standard.
ISO/IEC 27001 Normative references
ISO 27001 Std Section 2.0
ISO/IEC 27002:2013, Information Technology –
Security Techniques – Code of practice for
Information Security Management
ISO 27001 - ISMS
ISO 27001 Std Section 4.1
Understanding the Organization and its context:
The Organization shall determine external and
internal issues that are relevant to its purpose and
that affects its ability to achieve the intended
outcomes of its ISMS.
Refer ISO/IEC 27001 Section 4.1Note: Determining these issues refers to establishing the external and
internal context of the organization considered in clause 5.3 of ISO
31000:2009
INTERNAL CONTEXT - EXAMPLES OF SOURCES OF RISK
Internal sources of
riskRisk issues
People
Knowledge retention, skills, integrity, loyalty, industrial relations,
competency, currency of expertise, employment costs, equity, workload
management, ethics, demographics, health and safety
Data/information Integrity, currency, relevance, access, storage, quality, timeliness, security,
communication
Strategy Robustness, flexibility, strategic fit, planning capability, implementation,
involvement, ownership
Stakeholder
management
Stakeholder needs, segmentation, fulfilment, relationships, service
proposition, knowledge & understanding
Leadership Vision, management capability, innovation, culture, ethics, effectiveness,
communication, involvement
Process/product/ser
vices
Robustness, capability, intellectual property, life cycle, innovation,
management controls, currency and relevance, quality, efficiency and
effectiveness
Business results Business objectives, growth, sustainable development, performance,
resilience, sustainability
ISO 27001 - ISMS
ISO 27001 Std Section 4.2
Understanding the needs and expectations of
interested parties:
The Organization shall determine – interested
parties that are relevant to the information security
management system and the requirements of these
interested parties relevant to information security.
Refer ISO/IEC 27001 Section 4.2
ISO 27001 - ISMS
ISO 27001 Std Section 4.3
Scope of ISMS:
The Organization shall determine the boundaries
and applicability of the ISMS to establish scope and
while determining scope the organization shall
consider 4.1 and 4.2.
Refer ISO/IEC 27001 Section 4.3
ISO/IEC 27001 – Scope Definition
Scope Of ISMS encompass the following –
•Business Characteristics
•Organizational Characteristics
•Location
•Assets
•Technology
ISO 27001 - ISMS
ISO 27001 Std Section 4.4
Establish, Implement, Maintain and continually
improve a documented ISMS in accordance with
this International Standard.
Refer ISO/IEC 27001 Section 4.4
ISO 27001 - ISMS
ISO 27001 Std Section 5.0
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities &
authorities
Refer ISO/IEC 27001 Section 5.0
5. LEADERSHIP
5.1 Top Management shall demonstrate and commitment
with respect to the ISMS by:
a) Polices and objectives established for ISMS and were compatible
with strategic directions of the Org.
b) Integrating ISMS requirements into Org. business processes
c) ISMS achieves its intended outcomes
d) Communicating the importance of the effectiveness of ISMS
requirements
e) Directing and supporting persons to contribute to the effectiveness
of ISMS
f) Resources needed for ISMS were available
g) Supporting other relevant management roles to demonstrate their
leadership as it applies to their areas of responsibility
h) ISMS achieves its intended outcome(S)
5.2 POLICY
Top Management shall establish a ISMS Policy that
a) Is appropriate to the purpose of the organization
b) provides Framework for setting IS Objectives
c) Includes a commitment to satisfy applicable
requirements
d) includes commitment to continual improvement of
ISMS
e) be available as a documented information
f) be communicated within the organization
g) be available to interested parties, as appropriate
Information security policy-
Minimum contents
•Brief explanation of polices, principles, standards and
compliance requirements
•Legislative and contractual
•Security Education requirements
•Viruses and other Malicious software
•Business continuity Management
•Consequences of Security policy
•Violations
5.3 ORG. ROLES, RESPONSIBILITIES AND AUTHORITIES
Responsibilities and authorities for relevant roles are
assigned and communicated within the organization
Top Management shall assign the responsibility and authority
for:
Ensure that ISMS conforms to the requirements of this
international standard
reporting on performance of ISMS to top Management
Top management may also assign responsibilities and
authorities for reporting performance of the ISMS within the
Org. ( appointment of CISO / ISO)
ISO 27001 - ISMS
ISO 27001 Std Section 6.0
6.0 Planning
6.1 Actions to address risks and opportunities
- General
- Information security risk assessment
- Information security risk treatment
6.2 Information security objectives and plans to
achieve
Refer ISO/IEC 27001 Section 6.0
Risk assessment (5.4 )
Communication
and
Consultation
(5.2)
Monitoring
and
Review
(5.6)
Establishing the context (5.3)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Risk identification (5.4.2)
Cl. 5 ISO 31000 Risk Management Process
Rev. 04, Dec 2013
6 IS RISK MANAGEMENT
a. Define a risk assessment approach
b. Identify the risks
c. Analyse and evaluate the risks
d. Identify and evaluate options for the treatment of risks
e. Select control objectives and controls for the treatment of risks
f. Obtain owners approval of the proposed residual risks
g. Owners authorization to implement and operate the ISMS
Risk
Treatment
Risk
Assessment
Risk
Management
Process
h. Prepare a Statement of Applicability (SOA)
Refer to ( ISO/IEC 27001:2013 clause 6.1, 6.2, 6.3)
ISO 27001 – ISMS
ISO 27001 Std Section 6.1
• Formulate Risk treatment
• Control Implementation
• Implemented control measurement to assess
control effectiveness.
• Formulate training awareness program
• Manage ISMS operations
• Manage ISMS resources
• Implement Business continuity procedures in
response to Incidents
ISO 27001 – ISMS
ISO 27001 Std Section 6.1
• Monitoring and review procedures to execute detect error,
identified attempts, RCA (Root Cause) and Corrective
action.
• Regular reviews into account of security audits, incidents,
effectiveness measurements, suggestions, etc
• Regular reviews of the level of residual risk, and identified
acceptable risk correlating it with incidents, external events,
changes to legal / regulatory requirements.
Note: The IS risk assessment & treatment process in ISO 27001:2013 aligns with
principles & generic guidelines provided in ISO 31000.
ISO 27001 - ISMS
ISO 27001 Std Section 6.2
6.2 Information security objectives and plans to
achieve
The Organization shall establish information security
objectives at relevant functions and levels
Refer ISO/IEC 27001 Section 6.0
ISO 27001 - ISMS
ISO 27001 Std Section 7.0
7.0 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
Refer ISO/IEC 27001 Section 7.0
7.1 RESOURCES
Org. determine and provide the resources
needed for security management
Establishment
Implementation
maintenance
continual improvement
7.2 COMPETENCE
Organization shall
Determine the necessary competence of persons doing work
under its control that affects its IS performance
Ensures that these persons are competent on the basis of
appropriate education, training and experience
Where applicable, takes actions to acquire the necessary
competence, and evaluate the effectiveness of the actions taken
Retain appropriate documented information and evidence of
competence
E.g. Provision of training to, monitoring of, or the reassignment
of current employed persons, or hiring or contracting of
competent persons
7.3 AWARENESS
Persons doing work under the org. control shall be aware
of:
Information Security policy
Their contributions to the effectiveness of the ISMS,
including the benefits of improved ISMS performance
The implications of not conforming with the ISMS
requirements
7.4 COMMUNICATION
Communication
What, when to whom…
Internal and external (e.g. media response) communication
procedures has to be established
Communication procedures in crisis situations and after disruption
(ensuring the availability of communication), these has to be tested
Who is authorized to communicate (the interoperability between
multiple responding organizations has to be regarded)
communication during disruptive incident
operating and testing of communication capabilities intended for
use during disruption of normal communication ( 8.4.3)
ISO 27001 – Document Requirements
ISO 27001 Std Section 7.5
• ISMS Policy & Objectives
• ISMS Scope statement
• Supporting Procedures
• Risk Management Plan
• Risk Assessment Sheet / Report
• Risk Treatment Plan
• Documented procedures ensuring effective planning, operations and control.
• Evidences – Documented information
• Statement of applicability
ISO 27001 – Document Requirements
ISO 27001 Std Section 7.5
• Document approval prior to issue.
• Re-approval of Review (changes) & updates isnecessary
• Revision status of document should be identified.
• Ensure the most recent version is available to allconcern(s).
• Identification and control of external origin documents
• Ensure obsolete documents are prevented tounintended use and are identified.
ISO 27001 – Records Control
ISO 27001 Std Section 7.5
• Records must be maintained as an evidence of ISMS
Implementation
• Records must remain legible, readily, identifiable and
retrievable.
• Control of document identification, storage, protection,
retrieval, retention and disposal must be defined appropriately.
• Consider the ‘Legal’ requirements records & records of
performance of security processes and all security incidents.
ISO 27001 - ISMS
ISO 27001 Std Section 8.0
8.0 Operation
8.1 Operational Planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
Refer ISO/IEC 27001 Section 8.0
Management guidelines
Risk identification
Risk analysis
Risk evaluation
AGREE
TRANSFER
REDUCE
AVOID
Risktreatment
Communication
Reporting Monitoring
Risk controlling
Recording the risk
management process
ISO 27001 - ISMS
ISO 27001 Std Section 9.0
9.0 Performance evaluation
9.1 Monitoring, measurement, analysis & evaluation
9.2 Internal audit
9.3 Management Review
Refer ISO/IEC 27001 Section 9.0
ISO 27001 – Internal ISMS audits
ISO 27001 Std Section 9.2
• Conduct ISMS Audits at planned intervals
• ISMS Audit conforms to requirements of standard andrelevant legislation
• ISMS Audit program should focus on status, importance, areato be audited, and results of previous audits.
• A documented procedure must cover responsibilities ofplanning, conducting and reporting audit
• Corrective actions to be taken without undue delays.
• Follow-up on corrections and corrective action must beverified
ISO 27001 – Management Review
ISO 27001 Std Section 9.3
• Review of organizations ISMS at planned intervals
to ensure ISMS adequacy, effectiveness
• Assess the opportunity of Improvements
• Discuss the need / changes to ISMS
• Records required
ISO 27001 – Management Review
ISO 27001 Std Section 9.3
• Review performance and improvement opportunities
• ISMS Audit results
• Feedback from others
• Non-conformities and corrective actions
• Suggestion to improve ISMS performance
• Follow-up action on previous management reviews
• Changes to ISMS
• Recommendation for Improvements
ISO 27001–Management Review
ISO 27001 Std Section 9.3
• Recorded result of Management review meeting
• Improvement of effectiveness of ISMS
• Modification to Scope statement, policies, procedures, etc.
• Resource requirements
• Improvement on measurement of implemented controls
ISO 27001 - ISMS
ISO 27001 Std Section 10.0
10.0 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
Refer ISO/IEC 27001 Section 10.0
ISO 27001 – Corrective Action
ISO 27001 Std Section 10.1
• Organization shall take remedial action to eliminate thecause of nonconformity
• Documented procedure of Corrective action determines:
– Review of Nonconformities
– Review the cause of NC’s
– Evaluate the need of action
– Implementation of Corrective action
– Result of action taken
– Review of Corrective action taken
ISO 27001 – ISMS Improvements
ISO 27001 Std Section 10.2
• Organizations shall continually improve ISMS through
tahe use of following:
– Security Policy
– Information Security Objectives
– Audit Analysis
– Analysis of Monitored events
– Corrective & Preventive actions
– Management review meetings
Session – 4
Risk Management & Risk
assessment
Risk Management & Risk assessment
Agenda
•Risk Management – why?
•Risk Management
•Importance of risk management
•Responsibilities of risk management
•CIA, Vulnerabilities and Threats
•Risk
•Risk assessment / analysis
•Various steps of risk management
•Evaluating Risk assessment (Best Practices)
Risk Management & Risk assessment
Risk Management – Why?
•Dependence on Information
•Change of Business Paradigm in terms of:
•Connectivity
•Telecommunication oriented Business Model
•Service oriented architect
•Worsening Information Security Threats
•Customer Confidence
•Helps organization to articulate vulnerabilities with
threats
What do you understand by Risk Management
What do you understand by Risk management?
Risk Management is a process of identifying, assessing and
reducing this risk to an acceptable level and implementing the
right mechanism to maintain the level of risk.
Coordinated activities to direct and control organization with
regard to risk
Risk Management is a detailed process of identifying facets that
could damage data, evaluation of those facets in light of data
value and countermeasure cost, implementing cost-effective
solutions for mitigating risk(s).Note: The IS risk assessment & treatment process in ISO 27001:2013 aligns with
principles & generic guidelines provided in ISO 31000.
Risk Management Life Cycle
Risk management Life Cycle
ThreatsAsset
Exploits
Vulnerabilities
RiskResult –
Exposure
Safeguard
Risk assessment Team Composition
Individuals from all operational departments
i.e. managers, project supervisor, SME, etc.
Quality Leaders / System designers and
integrators
And, final authority to approve the RA.
Threat & Vulnerability
Threat
Any potential occurrence of threat-source that
may cause disruption or undesirable outcome
for an organization, system or asset e.g.
Alteration, Destruction, Loss, Disclosure, etc.
Vulnerability
The weakness of safeguard e.g. oversight, flaw,
resistance, openness, etc
What do you understand by Risk?
Risk is a possibility of damage happening.
Risk is the possibility that threat will exploita specific vulnerability to cause harm to anassets
Physical Damage – Fire, Water, Power loss,Natural disaster
Human Resource – Intentional actions,Oversight
Misuse of data – Fraud, Theft, Sharing tradesecret
Application error – Input errors, Outputerrors, buffer overflows
Importance of Risk Management
It allows the managers to balance theoperational and economic costs and achievegains in mission capabilities.
It helps organization to assess and understandthe business impacts current risk level and toprioritize future directions / recommendations
It helps organizations to evaluate options fortreatment of risk by implementing appropriatecontrols, accepting risks, avoiding risk andtransferring risk
What do you understand by
Risk assessment & Risk analysis
RA is the first process of risk management
methodology.
It helps organization to determine the extent of
potential threats & vulnerabilities and associated risk
within operational system.
The output of this exercise helps to identify
appropriate controls for reducing / eliminating the
risk.
It helps integrate the security program / module
objectives with company’s business objectives.
It helps senior management to review essential
outcome of assessment / analysis and act on its
finding.
Steps of Risk assessment
Step 1: Asset Classification
Step 2: Asset Valuation
Step 3: Threat identification
Step 4: Vulnerability identification
Step 5: Impact Determination
Step 6: Likelihood Determination
Step 7: Risk Determination
Step 8: Risk Mitigation
(Reduce, assign or accept risk(s),/safeguard)
Step 9: Recommended controls
Step 10: Result documentation / report
Step – 1: Asset Classification
Asset Registry / list of the following
•Physical assets e.g. Physical Infrastructure assets,
Computer Systems
•S/W assets e.g. Magnetic media
•Information assets e.g. shared folders, hardcopies
•Service assets e.g. Security & housekeeping services
•Human resource e.g. VP’s, Managers, Associates
Tools and techniques
•Questionnaire, On-Site Interview
•Automated scanning tools e.g. Microsoft SMS ®
Step -2 : Asset Valuation
Asset value is dependent and derived of C
(Confidentiality), I (Integrity) and A (Availability) individual
ratings / values.
Asset value is determined by either methods
Addition Method
C + I + A = AV
Multiplication Method
C * I * A = AV
Aggregated Method
(C + I + A)/3 = AV
Step–3: Threat Identification
Any potential occurrence of threat-source that exploits
specific vulnerability
The identification must consider the source / agent of
threat, potential vulnerabilities (step 4), existing
controls, past history, information from special
interested groups, etc
Step–4: Vulnerability Identification
The weakness / flaw of safeguard
The identification must consider the source of threat,
threat action, audit reports (Non Conformances), past
assessment reports, special interested groups, etc.
Step – 5: Impact Determination
The adverse impact resulting from successful
threat exploited of vulnerability.
The identification must consider the Individual
Asset value and exposure rating, also the overall
criticality of asset or exposure, BIA (Business
Impact Analysis), FMEA, etc.
Impact can also be determined based on loss of
confidentiality, loss of integrity and loss of
availability.
Likelihood
Examples:
Rare An event that is highly unlikely to
occur, if ever.
Un-Likely An Event that is unlikely to occur,
perhaps once every 3 years
Likely An event likely to occur relatively
infrequently
Almost Certain An event that is fairly probable,and
could be expected to occur several
times a year
Step-6: Likelihood Determination
Likelihood covers all aspects of occurrence.
This indicates the probability that potential
vulnerability may be exploited with associated
threat and environment
The determination must cover the threat source,
Nature of vulnerability and effectiveness of
current controls
Step – 7: Risk Determination
The purpose is to assess the level of risk to the
system
The below mentioned points should be
considered while determination of risk.
The likelihood of threat exploiting a given
vulnerability
The magnitude of the impact
The adequacy of existing controls (in-order to
reduce or eliminate the overall risks
Step – 8: Risk Mitigation
Also known as ‘Risk treatment plan’ and a systematic
approach which helps management to understand the
level of risk and safeguard mission ‘risk’.
This process involves prioritization, evaluating and
implementing the appropriate methodology.
Step – 8: Risk Mitigation
The mitigation / treatment can be achieved by various
options
Total Risk: When the organization chooses not to
implement any type of safeguard.
Risk acceptance: Acceptance of a risk by Management e.g.
Open ports on VOIP solutions / Telecom Dialer
Risk Transfer: Transfer the existing risk to others like
insurance, security services, etc.
Risk reduction / residual risk: The risk remains after
treatment e.g. disclosure, loss of data, etc
Risk Treatment
Risk Treatment: Examples
Threat Name Asset Counter
measure
ISO 27001
Poor System
Performance
Whole of
Network
Infrastructure
Full Capacity
Planning for
Technical and
Business
Aspects
A.12.1.3
User Error Associates Help Desk and
Training
A.7.2.2
ISO 27001 – RA Repeatability
Changes to business requirements and priorities
New - Assets, threats and vulnerabilities
Periodic reviews to confirm controls remain
effective and appropriate
ISO 27001 - SOA
(Statement of applicability)
•ISO 27001:2013 controls selected or not
•Visible links back to Risk Assessment and Assets
•SOA stating reasons for control selection
•SOA stating reasons for control exclusion
•Additional controls could be selected
ISO 27001 - SOA
SOA – Statement of Applicability Possible Format
•Scope of ISMS
•Reference to Risk Assessment approach
•Control Table
•ISO 27001:2013 Annex A
•Control Requirement
•Selected/ Excluded – Justification
•Documents/Records/Responsibilities/Assets
ISO 27001 - SOA
ISO 27001:2013 clause List Selected Apply to Justification
Yes No
A.5.1 Information Security Policy
A.11.2 Equipment Security
A10.1.1 - Cryptography Because we do not
have…. Or
reference to ….
ISMS – Management Framework
Define the Policy
Define Scope
of ISMS
Undertake RA
Manage Risk
Select Controls
Statement of
Applicability
Step 1
Step 2
Step 4
Step 5
Step 6
Policy Document
Scope of ISMS
Information Assets
Risk Assessment
Results & Conclusions
Select Control Options
Statement
Management
Framework:
ISMS
Degree of Assurance
Required
Control Objectives
Additional Controls
Step 3
Information Technology – Security
Techniques – Information Security
Management System (ISMS)
ISO/IEC 27001:2013
Annex A
Control Objectives & Controls
Reference Control Objectives & Controls (Annex A)
A.5 Information Security Policies
A.6 Organization of Information Security
A.7 Human Resource Security
A.8 Asset Management
A.9 Access Control
A.10 Cryptography
A.11 Physical and Environmental Security
A.12 Operations Security
A.13 Communications security
A.14 System acquisition, development & maintenance
A.15 Supplier Relationships
A.16 Information security incident management
A.17 Information security aspects of BCM
A.18 Compliance
Annexure – A
Annexure A (Normative):
14 management Domain, 35 Objectives, 114 controls
A.5- Security Policies
A.6 – Organization of Information Security
A.8 – Asset management
A.7 – Human resource
Security
A.11 – Physical and
Environment
Security
A.15 – Supplier
Relationships
A.10, A.12, A.13 –
Cryptography &
Operations
security &
Communications
security
A. 14 – Information
System Acquisition,
Development and
Maintenance
A.9 – Access Control
A.16- Information security incident management
A.17 – Business Continuity Management
A.18 – Compliance
A.5 Security Policy
A.5 Information Security Policies
A.5.1 Management Direction for Information Security
Information security policy
Definition of information security
(objective, scope and mechanism)
Statement of management intent,
supporting the goals, principles of
IS
…………………………
……………………….
Brief explanation of security
policies, principles, standards and
compliance
1.
2.
General and specific
responsibilities for IS management
References (e.g. more detailed
policies, procedures……..
Rec : ISO / IEC 27002:2005, page 2
A. 5.1.1 Policies for information security
A.5.1.2 Review of the policies for IS
Personnel
screening and
policy
Clear desk and
clear screen policy
….
A.6 Organization of Information Security
A.6 Organization of information security
A.6.1 Internal organization
Objective: To establish a management framework to initiate
and control the implementation and operation of information
security within Organization
Controls: A. 6.1.1 to A.6.1.5
A.6.2 Mobile devices and teleworking
Objective: To ensure the security of teleworing and use of
mobile devices
Controls :A. 6.2.1 to A.6.2.2
A.6.1 Internal organization
A.6.1.1Allocation of information security responsibilities
A.6.1.2 Segregation of duties
A.6.1.3 Contact with authorities
A.6.1.4 Contact with special interest groups
A.6.1.5 Project Management
6.2 Mobile devices and teleworking
A.6.2.1 Mobile devices policy
A.6.2.2 Tele working
6 Organization of information security
A.7 Human Resource Security
A.7 Human Resource Security
A.7.1 Prior to employment
Objective: To ensure that employees, contractors understand
their responsibilities and are suitable for the roles for which they
are considered.
Controls:A.7.1.1 to A.7.1.2
A.7.2 During Employment
Objective: To ensure that employees and contractors are aware of
and fulfill their information security responsibilities.
Controls : A. 7.2.1 to A.7.2.3
A.7.3 Termination and change of employment
Objective: To protect organization's interests as a part of
process of changing or terminating employment
Controls :A. 7.3.1
A.7.1 Prior to Employment
A.7.1.1 Screening
A.7.1.2 Terms and conditions of employment
A.7.2 During employment
A.7.2.1 Management Responsibilities
A.7.2.2 Information security awareness, education and training
A.7.2.3 Disciplinary Process
. A.7.3 Termination or change of employment
A.7.3.1 Termination or change of employment responsibilities
A.7 Human Resource Security
A.8 Asset Management
A.8 Asset Management
A.8.1 Responsibility for assets
Objective: To identify organizational asset and define appropriate
protection responsibilities
Controls : A. 8.1.1 to A. 8.1.4
A.8.2 Information classification
Objective: To ensure that information receives an appropriate
level of protection in accordance with its importance to the
organization
Controls :A. 8.2.1 to A. 8.2.3
A.8.3 Media Handling
Objective: To prevent unauthorized disclosure, modification,
removal or destruction of information stored media
Control : A. 8.3.1 to A. 8.3.3
A.8.1 Responsibility for assets\
A.8.1.1 Inventory of Asset
A.8.1.2 Ownership of Assets
A.8.1.3 Acceptable use of assets
A.8.1.4 Return of assets
A.8.2 Information classification
A.8.2.1 Classification of Information
A.8.2.2 labeling of Assets
A.8.2.3 Handling of Assets
A.8.3 Information classification
A.8.3.1 Management of removable media
A.8.3.2 Disposal of Media
A.8.3.3 Physical Media Transfer
A.8 Asset Management
Asset Identification & Classification
ISO 27001 Std Section 4.2Information Assets
Databases
Data Files
System Documentation
Operations Manual
Support procedures
User Manuals
Training Manuals
Intellectual property
Continuity plans
Fallback Arrangements
Services
Computing
Telecommunication
Power & lighting
Water
Air-conditioning
Heating, Gas
Fire control
Generators
UPS
Intruder alarms
Paper Documents
Contracts
Company documentation
Business results
HR records
Purchase documents
Invoices
Supplier lists
Company Catalogues
People
Employees
Customers
Subscribers
Contractors
Cleaners
Security
Trainees
Asset Identification & Classification
ISO 27001 Std Section 4.2
Software Assets
Operating Systems
Application Systems
Development tools
Utilities
Physical Assets
Servers
Computers
Hubs, switches, routers
Firewalls
Communication equipment
Magnetic, optical media
Other equipment
Racks, Cabinets
Safes
Information classification guidelines
Example
Scenario 1
Disclosure outside organization would be in-appropriate and inconvenient
Scenario 2
Disclosure inside or outside would cause significant harm to the interests of the organization
Scenario 3
Disclosure inside or outside would cause serious damage to the interest of the organization
A.9 Access Control
A.9.1 Business Requirements of access control
Objective : To limit access to information and information
processing facilities
Controls :A. 9.1.1 to A.9.1.2
A.9.2 User Access Management
Objective: To ensure authorized user access and to prevent
unauthorized access to information systems
Controls: A. 9.2.1 to A.9.2.6
A.9.3 User responsibilities
Objective : To make users accountable for safeguarding
Controls: A.9.3.1
A.9.4 System and application access control
Objective: To prevent unauthorized access to systems and
applications.
Controls: A.9.4.1 to A.9.4.5
A.9.1 Business Requirements of access control
A.9.1.1 Access control policy
A.9.1.2 Access to networks and network services
A.9.2 User Access Management
A.9.2.1 user registration and de- registration
A.9.2.2 user access provisioning
A.9.2.3 management of privileged access rights
A.9.2.4 management of secret authentication information users
A.9.2.5 Review of user access rights
A.9.2.6 removal or adjustment of access rights
A.9.3 User responsibilities
A.9.3.1 use of secret authentication information
A.9 Access Control
A.9. 4 system and application access control
A.9.4.1 system and application access control
A.9.4.2 Secure log-on procedures
A.9.4.3 Password management system
A.9.4.4 use of privileged utility programs
A.9.4.5 Access control to program source code
A.9 Access Control
A.10 Cryptography
A.10.1 Cryptographic controls
Objective : To ensure proper and effective use of cryptography to
protect the confidential, authenticity and or integrity of information
Controls :A. 10.1.1 to A.10.1.2
•A.10.1.1 Policy on the use of cryptographic controls
•A.10.1.2 Key Management
A.11 Physical and Environmental Security
A.11.1 Secure Areas
Objective : To prevent unauthorized physical access, damage and
interference to the organization's premises and information.
Controls: A.11.1.1 to A.11.1.6
A.11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets
and interruption to organization's operations
Controls : A.11.2.1 to A.11.2.9
A.11 Physical and Environmental security
A.11.1 Secure areas
A.11.1.1 Physical Security perimeter
A.11.1.2 Physical entry controls
A.11.1.3 Securing offices, rooms and facilities
A.11.1.4 Protection against external and environmental threats
A.11.1.5 Working in secure areas
A.11.1.6 delivery and loading areas
A.11.2 Equipment
A.11.2.1 Equipment sitting and protection
A.11.2.2 Supporting utilities A.11.2.9 clear Desk and clear Screen policy
A.11.2.3 Cabling Security A11.2.8 unattended user equipments
A.11.2.4 Equipment Maintenance
A.11.2.5 Removal of assets
A.11.2.6 Security of equipment off-premises
A.11.2.7 Secure disposal or re-use of equipments
A.11 Physical and Environmental security
A.12 Operations Security
A.12.1 Operational procedures and responsibilities
A.12.1.1 to A.12.1.4
A.12.2 Protection from malware
A.12.2.1
A.12.3 Backup
A.12.3.1
A.12.4 Logging and monitoring
A.12.4.1 to A.12.4.4
A.12.5 Control of operational software
A.12.5.1
A.12.6 Technical Vulnerability management
A.12.6.1 to A.12.6.2
A.12.7 Information systems audit consideration
A.12.7.1
A.12 Operations security
AREA 12: OPERATIONS SECURITY ( 7/14)
A.12.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operations of information processing facilities.
A.12.2 Protection from malware
Objective: To ensure that information and information processing facilites protected from
malware.
A.12.3 Back up
Objective: To protect against loss of Data..
A.12.4 logging and monitoring
Objective: Event logs recording user activities, exceptions, faults and information security events
shall be produced, kept and regularly reviewed...
A.12.5 Control of operational software
Objective: to ensure the integrity of operational system.
A12.6 Technical vulnerability management
Objective : To prevent exploitation of technical vulnerabilities
A12.7 Information system audit considerations
Objective : To minimize the impact of audit activities on operational systems
Rev. 04, Dec 2013
A.12.1 Operational procedures and responsibilities
A.12.1.1 Documented operating procedures
A.12.1.2 Change Management
A.12.1.3 Capacity Management
A.12.1.4 Separation of development, testing & operational environment
A.12.2 Protection from malware
A.12.2.1 Control against malware
A.12.3 Back-up
A.12.3.1 Information Back up
A.12.4 Logging and Monitoring
A.12.4.1 Event Logging
A.12.4.2 Protection of log information
A.12.4.3 Administrator and Operator Logs
A12: Operations Security
A.12.4 Logging and Monitoring
A.12.4.4 Clock Synchronization
A.12.5 Control Operational Software
A.12.5.1 Installation of software on operational systems
A.12.6 Technical vulnerability management
A.12.6.1 Management of technical vulnerabilities
A.12.6.2 restrictions on software installation
A12.7 Information system Auditing considerations
A12.7.1 Information systems audit controls
A12: Operations Security
A.13 Communications Security
A.13.1 Network security management
Objective : To ensure the protection of information in networks
and its supporting information processing facilities
Controls : A.13.1.1 to A.13.1.3
A.13.2 Information Transfer
Objective: To maintain the security of information transferred
within an organization and with any external entity .
Controls :A.13.2.1 to A.13.2.4
A.13.1 Network Security Management
A.13.1.1 Network Controls
A.13.1.2 Security of Network services
A.13.1.3 Segregation in networks
A.13.2 Information Transfer
A.13.2.1 Information Transfer policies and procedures
A.13.2.2 Agreement on information Transfer
A.13.2.3 Electronic Messaging
A.13.2.4 Confidentiality or non disclosure agreement
A.13 Communications security
A.14 System Acquisition, development
And maintenance
A.14.1 Security requirements of information systems
Objective: To ensure that information security is an integral part of information
systems .across the entire life cycle . This also includes the requirements for
information systems which provide services over public networks
Controls :A.14.1.1 to A.14.1.3
A.14.2 Security in development and support processes
Objective: To ensure that information security is designed and implemented
within the development life cycle of information systems
Controls :A.14.2.1 to A.14.2.9
A.14.3 Test Data
Objective : To ensure the protection of data used for testing.
Control :A.14.3.1
A.14.1 Security requirements of information systems
A.14.1.1 information Security requirements analysis and specifications
A14.1.2 Securing application services on public networks
A14.1.3 protecting application services transactions
A.14.2 Security in development and support processes
A.14.2.1 Secure development policy
A14.2.2 system change control procedure
A14.2.3 Technical review of applications after operating platform changes
A.14.2.4 restrictions on changes to software packages
A14.2.5 Secure system engineering principles
A14.2.6 Secure development environments
A.14.2.7 Out sourced development
A14.2.8 System security testing
A14.2.9 System acceptance testing
14.3 Test Date A14.3.1 Protection of test data
A.14 System acquisition, development & maintenance
A.15 Supplier Relationships
A.15.1 Information security in supplier relationships
Objective: To detect unauthorized information processing activities
Controls :A.15.1.1 to A.15.1.3
A.15.2 Supplier service delivery management
Objective: TO maintain an agreed level of information security and
service delivery in line with supplier agreements
Controls :A.15.2.1 to A.15.2.2
A15.1. Information security in Supplier relationship
A.15.1.1 information security policy for supplier relationships
A.15.1.2 addressing security within supplier agreements
A.15.1.3 Information and communication technology supply chain
A15.2. Supplier Service Delivery Management
A.15.2.1 Monitoring and review of supplier services
A.15.2.2 Managing changes to the supplier services
A.15 Supplier relationships
A.16 Information security incident
management
A.16.1 Management of information security incidents and
improvements
Objective : To ensure consistent and effective approach to the
management of Information security incidents including
communication on security event and weaknesses
Controls: 16.1.1 to 16.1.7
A.16 Information security incident management
A.16.1 Management of information security incidents and improvements
A16.1.1 Responsibilities and procedures:
A16.1.2 Reporting information security events
A16.1.3 Reporting of information security weakness
A16.1.4 Assessment of and decision on information security event:
A16.1.5 Response to information security incidents
A16.1.6 learning from information security incidents
A16.1.7 collection of evidence
A.16 Information security incident management
A.17 Information security continuity
A.17.1 Information security continuity
Objective : information security continuity shall be embedded in the
organization’s business continuity management systems
Controls : 17.1.1 to 17.1.3
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities
Controls: 17.2.1
A.17.1 Information security continuity
A.17.1.1 planning information security continuity
A.17.1.2 implementing information security continuity
A.17.1.3 verify, review and evaluate information security continuity
A.17.2 Redundancies
A17.2.1 Availability of information processing facilities
A.17 Information security continuity
A.18 Compliance
A.18.1 Compliance with legal and contractual requirements
Objective:
To avoid breaches of any legal, statutory, regulatory or
contractual obligations related to information security
requirements.
Controls: 18.1.1 to 18.1.5
A.18.2 Information security reviews
Objective: To ensure that information security is implemented and
operated in accordance with organizational policies and
procedures
Controls 18.2.1 to 18.2.3
A.18.1 Compliance with legal and contractual requirements
A.18.1.1 Identification of applicable legislation and contractual
requirements
A.18.1.2 Intellectual Property rights
A.18.1.3 Protection of organizational records
A.18.1.4 privacy and protection of personally identifiable information
A.18.1.5 Regulation of cryptographic controls
A.18.2 Information security review
A.18.2.1 independent review of Information security
A.18.2.2 Compliance with Security policies and standards
A.18.2.3 Technical compliance review
A.18 Compliance