ISO / IEC 27001:2005ISO / IEC 27001:2005A brief introductionA brief introduction

Dimitris PetropoulosManaging Director

ENCODE Middle EastSeptember 2006

“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.”

Information

Printed or written on paperStored electronicallyTransmitted by mail or electronic meansSpoken in conversations…

What is Information Security

ISO 27001 defines this as the preservation of:

Ensuring that information is accessible only to those authorized to have access

security

security

security

secu

rity

Ensuring that authorized users have access to information and associated assets when required

Threats

Risks

Information

Integrity Confidentiality

Availability

Safeguarding the accuracy and completeness of information and processing methods

Vulnerabilities

Achieving Information Security

4 Ps of Information Security

PeoplePeople ProductsProducts

Policy&

Procedures

Policy&

Procedures

Drivers & Benefits of compliance with the standard

ISO27001 Drivers

Internal Business Drivers– Corporate Governance – Increased Risk Awareness– Competition– Customer Expectation– Market Expectation– Market Image

Regulators

Reasons for seeking Certification according to a BSI-DISC survey

38%

35%

18%

9%

Best PracticeBusiness SecurityCompetitive AdvantageMarket Demand

Benefits of compliance [1]

Improved effectiveness of Information Security

Market Differentiation Provides confidence to trading

partners, stakeholders, and customers (certification demonstrates 'due diligence')

The only standard with global acceptance

Potential lower rates on insurance premiums

Compliance with mandates and laws (e.g., Data Protection Act, Communications Protection Act)

Reduced liability due to un-implemented or enforced policies and procedures

Benefits of compliance [2]

Senior Management takes ownership of Information Security

Standard covers IT as well as organization, personnel, and facilities

Focused staff responsibilities

Independent review of the Information Security Management System

Better awareness of security

Combined resources with other Management Systems (eg. QMS)

Mechanism for measuring the success of the security controls

ISO27001 Evolution

BS 7799 Part 1

New issue of BS 7799 Part 1 & 2

ISO 17799:2000

New BS 7799-2

19991999

20022002

Dec Dec 20020000

ISO27001/ISO17799/BS7799: History

19981998BS 7799 Part 2

New ISO 17799:2005 released ISO 27001:2005 released

20052005

19951995

ISO 27001, ISO17799 & BS7799 Standards ISO/IEC 17799 = BS 7799-Part 1

Code of Practice for Information Security Management– Provides a comprehensive set of security controls– Based on best information security practices– It cannot be used for assessment and registration

ISO 27001 = BS 7799-Part 2 Specification for Information Security Management Systems– Specifies requirements for establishing, implementing,

and documenting Information Security Management Systems (ISMS)

– Specifies requirements for security controls to be implemented

– Can be used for assessment and registration

Why BS7799 moved to ISO27001

Elevation to international standard status

More organizations are expected to adopt it

Clarifications and Improvements made by the International Organization for Standardization

Definition alignment with other ISO standards (such as ISO/IEC 13335-1:2004 and ISO/IEC TR 18044:2004)

ISO 27000 – principles and vocabulary (in development) ISO 27001 – ISMS requirements (BS7799 – Part 2) ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards) ISO 27003 – ISMS Implementation guidelines (due 2007) ISO 27004 – ISMS Metrics and measurement (due 2007) ISO 27005 – ISMS Risk Management ISO 27006 – 27010 – allocation for future use

The ISO 27000 series

ISO 27001 Overview

What is ISO27001?

An internationally recognized structured methodology dedicated to information security

A management process to evaluate, implement and maintain an Information Security Management System (ISMS)

A comprehensive set of controls comprised of best practices in information security

Applicable to all industry sectors

Emphasis on prevention

ISO27001 Is Not…

A technical standard

Product or technology driven

An equipment evaluation methodology such as the Common Criteria/ISO 15408– But may require utilization of a Common Criteria

Equipment Assurance Level (EAL)

Holistic Approach

ISO 27001 defines best practices for information security management

A management system should balance p h y s i c a l, t e c h n i c a l, p ro c e d u r a l, and p e rs o n n e l s e c u r i t y

Without a formal Information Security Management System, such as a BS 7799-2 based system, there is a greater risk to your security being breached

Information security is a management process, not a technological process

ISO 27001:2005 - PDCA

1. Establish the ISMS

• Establish security policy, objectives, targets, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.

2. Implement and operate the ISMS

• Implement and operate the security policy, controls, processes and procedures.

3. Monitor and review the ISMS

• Assess and, where applicable, measure process performance against security policy, objectives and practical experience and report the results to management for review.

4. Maintain and improve the ISMS

• Take corrective and preventive actions, based on the results of the management review, to achieve continual improvement of the ISMS.

ISO 27001:2005 Structure

Five Mandatory requirements of the standard:

Information Security Management System• General requirements• Establishing and managing the ISMS (e.g. Risk Assessment)• Documentation Requirements

Management Responsibility• Management Commitment• Resource Management (e.g. Training, Awareness)

Internal ISMS Audits Management Review of the ISMS

• Review Input (e.g. Audits, Measurement, Recommendations)• Review Output (e.g. Update Risk Treatment Plan, New Recourses)

ISMS Improvement• Continual Improvement• Corrective Action• Preventive Action

The 11 Domains of Information Management

SecurityPolicy

Organization of Information

Security

Asset Management

Human Resources

Security

Physical &Environmental

Security

Communications& Operations Management

Access Control

Information Systems

acquisition, development

and maintenance

Business Continuity

Management

Compliance

Information Security Incident

management

Overall the standard can be put in : Overall the standard can be put in :

•• Domain Areas Domain Areas –– 11, 11, •• Control Objectives Control Objectives –– 39, 39,

andand•• Controls Controls –– 133133

ISO27001 vs BS7799

ISO27001 vs BS7799 [1]

ComplianceCompliance

Business Continuity ManagementBusiness Continuity Management

Information Security Incident Management

Information Systems Acquisition, * Development and Maintenance

Systems Development & Maintenance

Access ControlAccess Control

Communications & Operations Management *

Communications & Operations Management

Physical & Environmental Security *Physical & Environmental Security

Human Resources Security *Personnel Security

Asset Management *Asset Classification & Control

Organising Information Security *Security Organisation

Security PolicySecurity Policy

ISO 27001BS7799

* - new control/s added

ISO 27001 Implementation

Implementation Process

Assemble a Team and Agree to Your Strategy

Identification of Information

Assets

Determination of Value of Information

Assets

Determination of Risk

Determination of Policy(ies) and the Degree

of Assurance Required from the Controls

Identification of Control

Objectives and Controls

Define ScopeReview

Consultancy Options

Definition of Policies, Standards, and Procedures to Implement the

Controls

Implementation of Policies, Standards,

and Procedures

Completion of ISMS

Documentation Requirements

Update Statement of Applicability

Identification of Legal, regulatory &

contractual requirements

Definition of Security

Strategy & Organisation

Statement of Applicability

Contracts and agreements

Defining Scope and Participants

ISMS Documentation

Procedure

Work Instructions,checklists,

forms, etc.

Records

Security ManualPolicy,

Organisation,risk assessment,

statement of applicability

Describes processes – who,what, when, where

Describes how tasks and specific activities are done

Provides objective evidence of compliance to ISMS requirements

Management frameworkpolicies relating to

ISO 27001

Level 2

Level 3

Level 4

Level 1

Implementation Issues

Approval by CEO

Security Awareness Program is a very important issue.Security Awareness Program is a very important issue.A Tool is essential to make security policies visible across theA Tool is essential to make security policies visible across the organization and organization and to translate policy objectives into actual compliance.to translate policy objectives into actual compliance.

Develop Documentation

Disseminate Policy

Conduct Awareness

Select ExternalConsultant

AcquirePolicy Tool

Educate Personnel

Develop Security Newsletter

Monitor & Measure Compliance

Develop other missing controls (Physical, BCP etc.)

Update Security Technologies (if needed)

ISO27001External Assessment

Continue Awareness

Enforce PolicySec AwarenessMaterial ISO27001

Internal Assessment

Registration Process

Choose a Registrar

Initial Inquiry

Audit and Review of Information Security Management System

Quotation Provided

Application Submitted

Client Manager

AppointedPre-

Assessment

Phase 1Undertake a

Desktop Review

Registration Confirmed

Phase 2Undertake a

Full Audit

Upon Successful Completion

Continual Assessment

InternalExternal

Continuing (every 6 months)Re-Assessment (every 3 years)

Optional

Critical Success Factors

Security policy that reflects business objectives

Implementation approach consistent with company culture

Visible support and commitment from management

Good understanding of security requirements, risk assessment

and risk management

Effective marketing of security to all managers and employees

Providing appropriate training and education

A comprehensive and balanced system of measurement which is

used to evaluate performance in information security

management and feedback suggestions for improvement

Use of automated Security Policy Management tool.

Closing Remarks

ISO27001 can be…

Without genuine support from the top – a failure

Without proper implementation – a burden

With full support, proper implementation and ongoing commitment – a major benefit

ENCODE ENCODE Middle EastMiddle East

Thank you for your time…

For more information please contact:

P.O. Box 500328Dubai Internet CityDubai – UAE

Tel.: +971-4-3608430

http://www.encodegroup.cominfo_me@encodegroup.com

www.encodegroup.com_