iso27001 introduction -...
TRANSCRIPT
ISO / IEC 27001:2005ISO / IEC 27001:2005A brief introductionA brief introduction
Dimitris PetropoulosManaging Director
ENCODE Middle EastSeptember 2006
“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.”
Information
Printed or written on paperStored electronicallyTransmitted by mail or electronic meansSpoken in conversations…
What is Information Security
ISO 27001 defines this as the preservation of:
Ensuring that information is accessible only to those authorized to have access
security
security
security
secu
rity
Ensuring that authorized users have access to information and associated assets when required
Threats
Risks
Information
Integrity Confidentiality
Availability
Safeguarding the accuracy and completeness of information and processing methods
Vulnerabilities
Achieving Information Security
4 Ps of Information Security
PeoplePeople ProductsProducts
Policy&
Procedures
Policy&
Procedures
Drivers & Benefits of compliance with the standard
ISO27001 Drivers
Internal Business Drivers– Corporate Governance – Increased Risk Awareness– Competition– Customer Expectation– Market Expectation– Market Image
Regulators
Reasons for seeking Certification according to a BSI-DISC survey
38%
35%
18%
9%
Best PracticeBusiness SecurityCompetitive AdvantageMarket Demand
Benefits of compliance [1]
Improved effectiveness of Information Security
Market Differentiation Provides confidence to trading
partners, stakeholders, and customers (certification demonstrates 'due diligence')
The only standard with global acceptance
Potential lower rates on insurance premiums
Compliance with mandates and laws (e.g., Data Protection Act, Communications Protection Act)
Reduced liability due to un-implemented or enforced policies and procedures
Benefits of compliance [2]
Senior Management takes ownership of Information Security
Standard covers IT as well as organization, personnel, and facilities
Focused staff responsibilities
Independent review of the Information Security Management System
Better awareness of security
Combined resources with other Management Systems (eg. QMS)
Mechanism for measuring the success of the security controls
ISO27001 Evolution
BS 7799 Part 1
New issue of BS 7799 Part 1 & 2
ISO 17799:2000
New BS 7799-2
19991999
20022002
Dec Dec 20020000
ISO27001/ISO17799/BS7799: History
19981998BS 7799 Part 2
New ISO 17799:2005 released ISO 27001:2005 released
20052005
19951995
ISO 27001, ISO17799 & BS7799 Standards ISO/IEC 17799 = BS 7799-Part 1
Code of Practice for Information Security Management– Provides a comprehensive set of security controls– Based on best information security practices– It cannot be used for assessment and registration
ISO 27001 = BS 7799-Part 2 Specification for Information Security Management Systems– Specifies requirements for establishing, implementing,
and documenting Information Security Management Systems (ISMS)
– Specifies requirements for security controls to be implemented
– Can be used for assessment and registration
Why BS7799 moved to ISO27001
Elevation to international standard status
More organizations are expected to adopt it
Clarifications and Improvements made by the International Organization for Standardization
Definition alignment with other ISO standards (such as ISO/IEC 13335-1:2004 and ISO/IEC TR 18044:2004)
ISO 27000 – principles and vocabulary (in development) ISO 27001 – ISMS requirements (BS7799 – Part 2) ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards) ISO 27003 – ISMS Implementation guidelines (due 2007) ISO 27004 – ISMS Metrics and measurement (due 2007) ISO 27005 – ISMS Risk Management ISO 27006 – 27010 – allocation for future use
The ISO 27000 series
ISO 27001 Overview
What is ISO27001?
An internationally recognized structured methodology dedicated to information security
A management process to evaluate, implement and maintain an Information Security Management System (ISMS)
A comprehensive set of controls comprised of best practices in information security
Applicable to all industry sectors
Emphasis on prevention
ISO27001 Is Not…
A technical standard
Product or technology driven
An equipment evaluation methodology such as the Common Criteria/ISO 15408– But may require utilization of a Common Criteria
Equipment Assurance Level (EAL)
Holistic Approach
ISO 27001 defines best practices for information security management
A management system should balance p h y s i c a l, t e c h n i c a l, p ro c e d u r a l, and p e rs o n n e l s e c u r i t y
Without a formal Information Security Management System, such as a BS 7799-2 based system, there is a greater risk to your security being breached
Information security is a management process, not a technological process
ISO 27001:2005 - PDCA
1. Establish the ISMS
• Establish security policy, objectives, targets, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.
2. Implement and operate the ISMS
• Implement and operate the security policy, controls, processes and procedures.
3. Monitor and review the ISMS
• Assess and, where applicable, measure process performance against security policy, objectives and practical experience and report the results to management for review.
4. Maintain and improve the ISMS
• Take corrective and preventive actions, based on the results of the management review, to achieve continual improvement of the ISMS.
ISO 27001:2005 Structure
Five Mandatory requirements of the standard:
Information Security Management System• General requirements• Establishing and managing the ISMS (e.g. Risk Assessment)• Documentation Requirements
Management Responsibility• Management Commitment• Resource Management (e.g. Training, Awareness)
Internal ISMS Audits Management Review of the ISMS
• Review Input (e.g. Audits, Measurement, Recommendations)• Review Output (e.g. Update Risk Treatment Plan, New Recourses)
ISMS Improvement• Continual Improvement• Corrective Action• Preventive Action
The 11 Domains of Information Management
SecurityPolicy
Organization of Information
Security
Asset Management
Human Resources
Security
Physical &Environmental
Security
Communications& Operations Management
Access Control
Information Systems
acquisition, development
and maintenance
Business Continuity
Management
Compliance
Information Security Incident
management
Overall the standard can be put in : Overall the standard can be put in :
•• Domain Areas Domain Areas –– 11, 11, •• Control Objectives Control Objectives –– 39, 39,
andand•• Controls Controls –– 133133
ISO27001 vs BS7799
ISO27001 vs BS7799 [1]
ComplianceCompliance
Business Continuity ManagementBusiness Continuity Management
Information Security Incident Management
Information Systems Acquisition, * Development and Maintenance
Systems Development & Maintenance
Access ControlAccess Control
Communications & Operations Management *
Communications & Operations Management
Physical & Environmental Security *Physical & Environmental Security
Human Resources Security *Personnel Security
Asset Management *Asset Classification & Control
Organising Information Security *Security Organisation
Security PolicySecurity Policy
ISO 27001BS7799
* - new control/s added
ISO 27001 Implementation
Implementation Process
Assemble a Team and Agree to Your Strategy
Identification of Information
Assets
Determination of Value of Information
Assets
Determination of Risk
Determination of Policy(ies) and the Degree
of Assurance Required from the Controls
Identification of Control
Objectives and Controls
Define ScopeReview
Consultancy Options
Definition of Policies, Standards, and Procedures to Implement the
Controls
Implementation of Policies, Standards,
and Procedures
Completion of ISMS
Documentation Requirements
Update Statement of Applicability
Identification of Legal, regulatory &
contractual requirements
Definition of Security
Strategy & Organisation
Statement of Applicability
Contracts and agreements
Defining Scope and Participants
ISMS Documentation
Procedure
Work Instructions,checklists,
forms, etc.
Records
Security ManualPolicy,
Organisation,risk assessment,
statement of applicability
Describes processes – who,what, when, where
Describes how tasks and specific activities are done
Provides objective evidence of compliance to ISMS requirements
Management frameworkpolicies relating to
ISO 27001
Level 2
Level 3
Level 4
Level 1
Implementation Issues
Approval by CEO
Security Awareness Program is a very important issue.Security Awareness Program is a very important issue.A Tool is essential to make security policies visible across theA Tool is essential to make security policies visible across the organization and organization and to translate policy objectives into actual compliance.to translate policy objectives into actual compliance.
Develop Documentation
Disseminate Policy
Conduct Awareness
Select ExternalConsultant
AcquirePolicy Tool
Educate Personnel
Develop Security Newsletter
Monitor & Measure Compliance
Develop other missing controls (Physical, BCP etc.)
Update Security Technologies (if needed)
ISO27001External Assessment
Continue Awareness
Enforce PolicySec AwarenessMaterial ISO27001
Internal Assessment
Registration Process
Choose a Registrar
Initial Inquiry
Audit and Review of Information Security Management System
Quotation Provided
Application Submitted
Client Manager
AppointedPre-
Assessment
Phase 1Undertake a
Desktop Review
Registration Confirmed
Phase 2Undertake a
Full Audit
Upon Successful Completion
Continual Assessment
InternalExternal
Continuing (every 6 months)Re-Assessment (every 3 years)
Optional
Critical Success Factors
Security policy that reflects business objectives
Implementation approach consistent with company culture
Visible support and commitment from management
Good understanding of security requirements, risk assessment
and risk management
Effective marketing of security to all managers and employees
Providing appropriate training and education
A comprehensive and balanced system of measurement which is
used to evaluate performance in information security
management and feedback suggestions for improvement
Use of automated Security Policy Management tool.
Closing Remarks
ISO27001 can be…
Without genuine support from the top – a failure
Without proper implementation – a burden
With full support, proper implementation and ongoing commitment – a major benefit
ENCODE ENCODE Middle EastMiddle East
Thank you for your time…
For more information please contact:
P.O. Box 500328Dubai Internet CityDubai – UAE
Tel.: +971-4-3608430
http://[email protected]
www.encodegroup.com_