iso 27001 certification: an all-access pass
Post on 13-Sep-2014
227 views
DESCRIPTION
As a globally recognized security standard, the ISO 27001 certification is gaining traction in the U.S. as more companies are pursuing the certification to meet contractual obligations or to gain a competitive advantage. Gene Geiger, Director at A-lign will outline the steps required to become ISO 27001 Certified. View the recording of our live presentation here: https://www.youtube.com/watch?v=mMmpAwmXRNUTRANSCRIPT
Connect with A-lign
Stay tuned - The webinar will begin at 2PM EST
Presenter
Gene Geiger, CPA, CISSP, PCIP, QSA, ISO 27k LADirector at A-lign
• An Overview of ISO 27001• Certification Preparation• Steps to Certification• Ongoing Maintenance• Q & A
Agenda
• Risk Driven Standard• BS 7799 – 1990’s• ISO 27001:2005• ISO 27001:2013
History of ISO 27001
Understanding ISO 27001
• Security Framework– Living processes– Monitors & improves information security– Requires management involvement– Requires ongoing activities– Requires evidence from ISMS activities
Understanding ISO 27001
• Key Terms/Concepts– Information security management system– Plan-do-check-act– Risk assessment– Statement of applicability– Continuous improvement– Management of security system & other
compliance standards
Polling Question 1
What is the most important component of an ISMS?
A. Management Involvement
B. Documented Policies
C. Defining the Scope
Why Conform With ISO 27001
• Conformance vs. Compliance• International Operations/Customers• Meet Contractual Obligations• Gain Competitive Advantage• Evaluate Security Practices
• 27001 ISMS Specifications• 27002 Controls• 27003 Implementation Guide• 27004 Metrics• 27005 Risk Management• 27006 Certification Guide• 27007 Auditing Guide• 27008 Technical Auditing
Overview of ISO 27000 Suite
ISO 27000 Suite
Polling Question 2
Which ISO 27000 standard is an organization certified against?
A. 27002
B. 27007
C. 27001
D. 27004
ISO 27001 ComponentsOrganizational Context & Stakeholders
Information Security Leadership & High-Level Support for Policy
Planning an ISMS; Risk Assessment; Risk Treatment
Supporting an ISMS
Making an ISMS Operational
Reviewing the System's Performance
Corrective Action
ISO 27001 Components
A.5 Information Security Policies
A.6 Organization of Information Security
A.7 Human Resource Security
A.8 Asset Management
A.9 Access Control
A.10 Cryptography
A.11 Physical & Environmental Security
A.12 Operations Security
ISO 27001 Components
A.13 Communications Security
A.14 System Acquisition, Development & Maintenance
A.15 Supplier Relationships
A.16 Information Security Incident Management
A.17Information Security Aspects of Business Continuity Management
A.18 Compliance
Certification Preparation
• Management commitment & approval
• Define ISMS scope & boundaries
• Information security requirements analysis
• Conduct risk assessment & treatment plan
• Design the ISMS• Six to nine months
ISO 27003 Information technology — Security Techniques Information security management system implementation guidance
• Selecting Certification Body– Accredited– Unaccredited– Independence
• Scheduling Audit– Stage 1 audit– Stage 2 audit
• Calculating On-Site Time
Steps to Certification
Polling Question 3
It is best to have your certification auditor help you develop your ISMS.
A. True
B. False
• Certification Received– Three year
• Surveillance Audit– Years 2 & 3– Timing
• Revocation/Suspension
Steps to Certification
• Previous Audit Concerns– External audits– Certification audits– Internal audits
• Internal Audit– Selecting the team
• Management Review– Not a check-the-box process
Ongoing Maintenance
• Continual Improvement– Policies/processes/technology– Measure it
• Changes in the Environment• Complaints/Issues Tracking
Ongoing Maintenance
Polling Question 4
A Dedicated Internal Audit Department is not required to be ISO 27001 certified.
A. True
B. False
• Understand the Level of Effort• Obtain Outside Training• Communicate with your CB• Be Proactive
Recommendation