iso 27000 series

8/3/2019 Iso 27000 Series

http://slidepdf.com/reader/full/iso-27000-series 1/45

Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net

ISO 27000 Series

Information Security Management:‘ISO 27000 series of standards’ development

29 April 2008 – BCS (Jersey)

Vernon Poole – Head of Business Consultancy,Sapphire, UK

8/3/2019 Iso 27000 Series



ISO 27000 Series

Speaker Credentials – Vernon Poole

• Recognised global trainer in Information SecurityManagement for over 15 years

• Member of UK & International 27000 User Groups

• Member of ISACA Global ISO27000 Taskforce

• UK & European CISM trainer

• Head of Business Consultancy at Sapphire – totally independent Information Security ServicesCompany

8/3/2019 Iso 27000 Series



ISO 27000 Series

Agenda

1. Results of a recent Global Survey 2008

2. ISO27000 series developments

3. Move towards ‘Business Resilience’

8/3/2019 Iso 27000 Series



ISO 27000 Series

1. Global Survey 2008 (Certification Europe)

• Respondents : 312 (4 month survey in 2007)

= 10% of certified organisations.

• Sectors : All

• Countries : Ireland; Italy; Hong Kong; Japan; UK & USA

• Coverage :

- Information on organisations & responsible officers

- Information on certification & the challenges

- Information on ongoing maintenance & benefits realised

8/3/2019 Iso 27000 Series



ISO 27000 Series

Who is adopting 27001

Sector %

• IT Services (customer mandate) 23

• Telcos (customer demand) 14

• Public Sector (government drive) 14

• Print Services (APACS influence) 12• Health Services (government drive) 7

• Consultancies (requirement) 6

• Pharmaceuticals 5

• Manufacturing 4

• Financial Services 3

• Construction 2• Legal Services 2

• Other (access to secure networks) 8

8/3/2019 Iso 27000 Series



ISO 27000 Series

Size of Organisation adopting 27001

Size %

• Large (> 500 employees) 38

• Medium (200 – 500 employees) 12

• SMEs (< 200 employees) 50

8/3/2019 Iso 27000 Series



ISO 27000 Series

Who manages the ISMS

Manager %

• Full time manager 12

• Range of responsibility/role 88

- IT Manager 27- Quality Manager 19

- Project Manager 12

- Compliance Manager 8

- BC Manager 8

- Facilities Manager 8

- Other arrangements 6

Demonstrates the challenge of adequate resourcing

8/3/2019 Iso 27000 Series



ISO 27000 Series

Reasons for Adoption

Reason %• Best Practice Standard 90

• Competitive Advantage 80

• Legal/Regulatory Compliance 42

• Tendering Requirement 28

• Customer Mandate 18

• Access to Restricted Networks 18

• Competitors had Certification 8

8/3/2019 Iso 27000 Series



ISO 27000 Series

Main Challenges to Certification

Challenge %

• Cultural Change 56

• Senior Management ‘Buy-In’ 18

• Resources 18

• Maintaining the ISMS 9

• Understanding the Standard 8

8/3/2019 Iso 27000 Series



ISO 27000 Series

Timescale to Certification

Time %

• Within two years 93

• 12 months or less 60

• 6 months or less* 20

* Organisations who were already certified to quality standard – 9001

(80%) or environmental standard – 14001 (12%)

8/3/2019 Iso 27000 Series



ISO 27000 Series

Benefits of Certification

• Established a formal approach to IS

• Raised the internal visibility of IS

• Raised the level of IS awareness

• Proof of robust controls

• Clear focus & control of Risk Management

• Increased customer confidence

• Tangible competitive advantage

• Embedded IS in a process of continuous improvement

8/3/2019 Iso 27000 Series



ISO 27000 Series

Lessons Learnt

Lesson %

• More Senior Management Involvement 33

(awareness & PR campaign)

• More time/resources 17

• Better Risk Management approach 16

• Need to take Ownership 7

• No change to Implementation 27

8/3/2019 Iso 27000 Series



ISO 27000 Series

2. ISO 27000 series developments

Since ISO27001 certifications has reached critical mass (5k+),

future developments will cover three areas:-

1. ISMS family of standards (ISO27000 – ISO27010) – covering specification, metrics, implementation guides,audit guides, risk management

2. Sector specific requirements (ISO27011 – ISO27030)

- Telecos; Healthcare; Automotive; Lotteries

3. Operational guidance (ISO27031 – ISO27059)

8/3/2019 Iso 27000 Series



ISO 27000 Series

1. Future ISMS Standards

• ISO 27000 – Fundamentals and vocabulary (from late 2008)

• ISO 27001 – ISMS requirements – Certification Process (based on ISO 27002)

• ISO 27002 – Code of Practice on IS Management

• ISO 27003 – ISMS Implementation Guidance (from 2009)

• ISO 27004 – ISMS Metrics and measurement (from late 2008)

• ISO 27005 – ISMS Risk Management (from late 2008)

• ISO 27006 – Guidelines on ISMS accreditation (certification bodies)

• ISO 27007 – Guidelines on ISMS Auditing (from 2009)

8/3/2019 Iso 27000 Series



ISO 27000 Series

Structure of 27000 series

27000 Fundamentals & Vocabulary

27001:ISMS

27003 Implementation Guidance

27002 Code of Practice for ISM

27004 Metrics & Measurement

27005

RiskManagement

27006 Guidelines on ISMS accreditation

27007 Guidelines on ISMS Auditing

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27000: Fundamentals & Vocabulary

• Explains the terminology for all the 27000 series family ofstandards – will probably be a free publication (marketing)

• Address global concerns on definitions that vary fromcountry to country – so consistency will be established

• These principles will impact on other standards likeCOBIT(IT Processes) and ITIL (IT Service Delivery) andaims to avoid any confusion

IT Governance Institute produced a report entitled ‘AligningISO 27001, COBIT & ITIL’ (where Sapphire contributed) &

now ISACA has an ISO Taskforce which I sit on for ISO27000

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27001: ISMS Certification

• ISMS certification (formerly BS7799-2) – published Nov 05 – operational from 30 Jan 06onwards

• Clarifies/improves PDCA process requirements

– ISMS scope – approach to risk assessment

– selection of controls

– Statement of Applicability

– reviewing risks

– management commitment

– ISMS internal audits – results of effectiveness & measurements

– Updated risk treatment plan & controls

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27001: Current Global Certification Statistics

• There are 4,500 certifications across 68 countries – withJapan (2550); UK (370);India (430); Taiwan (175); China(110)Germany (90); and then a group of countries(Hungary, Italy, USA, & Korea at 60) – who are leadingthe way.

• Note 1 : current certification figures shows 150organisations being certified per month

• Note 2 : there are by a factor of 25 - organisations whoare compliant

• Certification Website : www.iso27001certificates.com

• There are currently 4,100 ISO27001 certificates

8/3/2019 Iso 27000 Series



ISO 27000 Series

UK Certifications : Sector % Breakdown4%

5%

4%

3%

3%1%2%1%

18%

52%

7%

Healthcare and Social

SectorTelecommunications

Professional Services

Local Government

Central Government

Judicial

Manufacturing/HeavyIndusrty

Utilities

Information Technology

ServicesServices,Sales,LightIndustryFinancial Services

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27002: Code of Practice on IS Management

• 11 sections to protect information assets

(formerly ISO/IEC17799:2005) – April 2007

• Choice of 133 detailed controls (based on a riskassessment process & your environment)

• Enhancements covered :

- external service delivery & provisioning ofoutsourcing

- patch management & current issues

- security prior to, during & on termination of

employment- guidance on risk management, & a section onincident management

- mobile, remote & distributed communications

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO27002 Developments

ComplianceCompliance

Business Continuity ManagementBusiness Continuity Management

Information Security Incident Management

Information Systems Acquisition,

Development and Maintenance

Systems Development &

Maintenance

Access ControlAccess Control

Communications & Operations ManagementCommunications & Operations

Management

Physical & Environmental SecurityPhysical & Environmental Security

Human Resources SecurityPersonnel Security

Asset ManagementAsset Classification & Control

Organising Information SecuritySecurity Organisation

Security PolicySecurity Policy

11 sections:200510 sections:2000

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27003 : ISMS Implementation Guidelines

• Implementation guidelines to support the newrequirement specification standard

• Annex B of BS7799 Part 2 is the basis:-

- overview

- management responsibilities- governance & regulatory compliance

- personal security & human resources

- asset management

- availability/continuity of business processes

- handling information incidents

- access control- risk management case studies

8/3/2019 Iso 27000 Series



ISO 27000 Series

• Implements PDCA in more detail

– Identification of assets

– Threat identification

– Risk assessment / risk treatment

– Analysis and improvement of controls

• Provides detailed descriptions of each process

• Contains an annex with real world examples.

• Probably available at 2009

ISO 27003 : ISMS Implementation Guidelines

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27004 :Metrics & Measurement

The objectives:

• evaluate effectiveness of IS controls & objectives

• evaluate effectiveness of ISMS (sustainability)

• provide IS indicators to assist management review

• facilitate improvement of IS• provide input for IS audits;

• communicate effectiveness of ISM

• input into risk management process

• output for internal comparison & benchmarking

i.e how to measure the processes & controls(performance targets; what to measure; how tomeasure; when to measure)

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27005: ISMS Risk Management

• A new standard on ‘Information Security Risk Management’

– an ISO version of BS7799 Part 3 (March 06)

(seeks to address information security risks within the

wider context of business risks)

• Will also incorporate ISO/IEC 13335 MICTS Part 2

& AS/NZS 4360

• In final draft version

8/3/2019 Iso 27000 Series


8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27006: Guidelines on ISMS Accreditation

• EA7/03 guidance (Feb 2002) to certification bodies – was now outdated

• Need for increased rigour & evidence from

certifying bodies that the organisations going forcertification are ‘fit for purpose’ i.e. a robust ISMSframework is not only well established (meetingbusiness needs) but it is communicated & workingin practice

• Operational from Jan 2007 January 2007

8/3/2019 Iso 27000 Series



ISO 27000 Series

What is in ISO/IEC 27006?

• General requirements – guidance on ‘impartiality’

• Organisational structure – apply ISO/IEC 17021

• Resource requirements

– management competence; subcontracting etc

• Information requirements – guidance on certification issues

• Process requirements

– guidance on ISMS audits

3 new annexes (analysis of ISMS complexity; example areas of auditorcompetence; audit time calculations)

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27007: Guidelines on ISMS Auditing

• Guidance for audit & accredited certification bodiesauditing ISMS

• It will draw heavily on ISO 19011:2002

(auditing quality & environmental management systems)

• Early stage of development: JTC1/SC27 is seekingagreement from national standards bodies on theproposed scope

• Publication date will not be until 2009

8/3/2019 Iso 27000 Series



ISO 27000 Series

2. Future Developments – Sector specific standards

• Telecoms (Global) – ISO 27011

• Healthcare (UK) – ISO 27799

• Automotive (Germany;Korea;Sweden)

• Lottery (WLA – World Lottery Association)

Following slides outlines their progress

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27011: ISM Guidelines for Telecommunications

• This implementation guide is being developed jointly by ITU/ISO(publication date – 2009).

• ITU-T recommendation(2004/5) based on the following standards:

- X.800 & X.805 Security architectures- ISO 9001/ 14001Quality/environmental management- ISO 27001 & ISO 27002- ISO Guide 73:2002 Risk management

• The summary stated:“Information & supporting processes, teleco facilities, networks & lines are important business assets. To appropriately manage these assets & to successfully continue their business activities, ISM is extremely necessary”.

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27799 : Security Management in Health using ISO27002(draft)

• This standard is being developed by ISO committeeTC215 – Health Informatics covering healthcareinformation (data models, communications for medicaldevices, health cards, e-prescribing etc)

• The standard views information security in an informationgovernance context (where 25 threats are addressed)

• The standard is independently of the ISO/IEC committeeJTC1/SC27 responsible for the other ISO27000 standards,

& is not entirely aligned (numbering system may change)

8/3/2019 Iso 27000 Series



ISO 27000 Series

3.Detailed ISO Operational Guides being considered

• ISO 27031 : ICT readiness for Business Continuity

• ISO 27032 : Guidelines for Cyber security

• ISO 27033 : IT Network Security

• ISO 27034 : Guidelines for Application Security

No publication dates yet for these specific guides

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27031: ICT readiness for Business Continuity

• This standard may be based on a Singaporean BC/DRstandard SS507 & incorporate parts of BS25999.

• SS507:2004 “a basis to certify & differentiate BC/DRservice providers, help selection & provides quality

assurance (inc. best practices to mitigate outsourcingrisks).”

• Singapore was first country to introduce a certificationprogram for service providers – it specifies stringentrequirements (inc. asset management; third party vendor

management; outsourcing arrangements; privacy &confidentiality)

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27032 : Guidelines for Cyber security

• Currently in development phase (WD – working draft)

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27033 : IT Network Security

• This standard has been proposed as the new name for theexisting standard ISO/IEC 18028:2006.

• The proposed standard will have seven parts:

1. Guidelines for network security2. Guidelines for design/implementation of network security3. Reference networking scenarios4. Securing communications between networks using gateways5. Securing remote access

6. Securing communications across networks using VPNs7. Guidelines for securing mobile communications

8/3/2019 Iso 27000 Series



ISO 27000 Series

ISO 27034 : Guidelines for Application Security

• Objective : to develop security guidance for application design &programming. This multi-part standard will provide guidance oninformation security controls relating to the application systems lifesystem in a business organization

• Currently, Part 1 is in development phase (WD – working draft)

8/3/2019 Iso 27000 Series



ISO 27000 Series

3. What is Business Resilience

• Operational Risk is the risk that results from:

- failed internal processes

- accidental or deliberate actions of people

- problems with systems & technology

- external events

• Business resilience is the organisation’s ability to sustain itsbusiness mission in the face of these risks.

It depends on effective management of all the risks above – thisencompasses IS; BCM & IT Operations Management.

• Business resilience is therefore a challenging emergent concept

8/3/2019 Iso 27000 Series



ISO 27000 Series

3. Business Resilience

From Information Security to Resilience

• Managing impact/consequences

• IS defined as a desired state

• IS is balanced between cost/risk

• Managing threats/vulnerabilities

• No articulation of desired state

•Throw technology to the problems

ISO 27000 S i

8/3/2019 Iso 27000 Series



ISO 27000 Series

3. What is Business Resilience

• Origins: ‘resiliency engineering’ – to design, develop, implement &manage the protection & sustainability of business critical:-

1. Services – both internal/external activities for strategic benefit

2. Processes – steps to achieve the business mission

3. Assets – ‘people, information, technology, facilities’:

: People – human capital – influences process delivery

: Information – influences access/availability

: Technology – tools to accomplish business mission

: Facilities – physical places where other objects ‘live’

• Aim: to protect these business critical objects from disruption

ISO 27000 Series

8/3/2019 Iso 27000 Series



ISO 27000 Series

3. Business Resilience – in Practice

PEOPLE INFORMATION

TECHNOLOGY FACILITIES

BUSINESS PROCESSES

Relies on the

Actions ofRequires &Creates

Is Supported by Is Performed in

ISO 27000 Series

8/3/2019 Iso 27000 Series



ISO 27000 Series

3. Business Resilience – the Challenge

Balancing Risks and Resilience

Co-operation FocusInformation Security Focus

ASSET

Protect Sustain

Manage Risk

Manage the condition Manage the consequence

ISO 27000 Series

8/3/2019 Iso 27000 Series



ISO 27000 Series

3. Business Resilience – how mature are you?

FORMAL(Risk Driven)

PARTIAL(Vulnerability Driven)

IDEAL(BusinessDriven)

EVENT DRIVEN

PLANNED

ACTIVELY MANAGED

AND CONTROLLED

• Technical Problem

• Owned by IT

• Expense Driven• Practice Centric

• IS & Survival

• Business Problem• Owned by Business

• Investment Driven

• Process Centric• Business Resilience

IRREGULAR & REACTIVE

SYSTEMATIC & ADAPTIVE

ISO 27000 Series

8/3/2019 Iso 27000 Series



ISO 27000 Series

3. Business Resilience – Categories

There are in four categories:1. Corporate Ownership/Management (7 areas):

enterprise focus that risk management activities need

2. Business Foundations (6 areas):

implement resilience for information assets, businessprocesses & services – foundation for protection &sustainability of assets

3. Operational Resilience (11 areas):

resiliency of people, information, technology, & facilitiesassets

4. Continuous Monitoring (2 areas):

measuring, managing & improving the resiliency process

ISO 27000 Series

8/3/2019 Iso 27000 Series



ISO 27000 Series

Thank You for Your Time !! Any Questions ??

Vernon Poole – [email protected]

TECHNICAL CONSULTANCY

Content Security

Policy ComplianceApplication FirewallsEnd Point Security

High AvailabilityRemote Access SSL VPNStrong Authentication

FORENSICS

Computer ForensicsData Recovery

Forensic Email ArchivingForensic Training

BUSINESS CONSULTANCY

ISO27001ISO27002CLAS

BCP/DRBusiness Resilience

BUSINESS ASSURANCE

Penetration Testing

Vulnerability AssessmentsStrategic Support AgreementsSecurity Audits

iso 27000 series

Documents