first practice - information security management system implementation and iso 27001 certification
TRANSCRIPT
First Practice - Information Security Management System Implementation and
ISO 27001 Certification
Scope• NBG Services
• Evaluation criteria
• Services and Business processes
• Evaluation results
• ISO/IEC 27001:2013 Certification
• Legal requirements
Scope• International Payment and Reserve Management
Service
• Georgian Payment and Security Settlement Service
• Human resources, Public Relations, Chancellery, Logistics, Legal, Accounting, Internal Audit)
• All Types of Information Assets
Approach
Goals• Ensure compliance
Confidentiality, Availability And Integrity needs.• Establish controls for protection.• Motivate employees• Ensure in continuity.• Ensure the protection of personal data (privacy).• Ensure the availability and reliability of
Infrastructure.• Comply with - ISO/IEC 27001:2013.• Ensure in external service providers compliance.• Ensure flexibility and an acceptable level of
InfoSec security
Acceptable Level
Initiation Project• Competent Consultancy service
• Accreditation requirements
• Tender documentation
• Service requirements
• Project Management Practice
Policy• Context of the National Bank of Georgia • Scope (Procedure) • policy (Policy) • Objectives (Procedure) • Roles and Responsibilities (Procedure) • Risk management (Procedure) • Documented information (Procedure)• Internal audit (Procedure) • ISMS Policy Manual • Employee Guidelines National Bank of Georgia
Policy Cont.• Business Continuity Plan• BCP Procedure (Procedure) • Business continuity (policy) • Risk treatment plan • Statement of Applicability (SoA) • Plan to archive Information security objectives• Contracting rules and templates• Contract template with new employee (Contract
template)• Internal audit plan• Information classification rule (Procedure) • Awareness program and training presentation
Records, Reports• Business impact analysis (Record)• BCP Testing and Maintenance Cycles (Record) • BCP Testing Report (Report) • Assets register (Report) • Risk identification and assessment (Report) • Risk treatment report (Report) • ISMS objectives status report (Report) • Evidence of competence (Record) • Monitoring and measurement (Record) • Internal audit program (Record) • Internal Audit report (Report) • List of corrective actions with results of effectively analysis (Record)• ISMS Management review (Record)• ISMS Contacts with authorities and special groups (Record)• List of suppliers related to ISMS (Record) • Regulation about acceptance of residual risks (Report)
Decision Making• Maximum 1 Working day
• Information security management committee and working group
• Change management committee
• Business continuity management committee and working group
• 2 months for 1 Service.
Acceptable Level
Audit Result• No critical nonconformities
• No nonconformities
• Several recommendations
• 8 domains are on fifth level of CMM
• 6 domains are on fourth level of CMM
• ISO/IEC 27001:2013 cerficate
Thank You