module 7: 'statement of applicability'iso 27001, 4.2.1 j): 'prepare a statement of applicability'....
TRANSCRIPT
-
1
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
1
Information Security Management System
Module 7:
Statement of Applicability(SoA)
Version 6.0 / MAY-26-2013
-
2
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
2
Content
● Requirements for SoA● ISO 27001 Annex A● Domains / Objectives / Controls● Creating a SoA
-
3
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
3
Content
● Requirements for SoA● ISO 27001 Annex A● Domains / Objectives / Controls● Creating a SoA
-
4
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
4
Requirements for SoA (1)
ISO 27001, 4.2.1 j): 'Prepare a Statement of Applicability'. It shall include:● the controls currently implemented● the controls selected in RATP● the justification for exclusion of any controls
in Annex A
-
5
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
5
Requirements for SoA (2)
The Statement of Applicability provides a summary of decisions concerning risk treatment.
Justifying exclusions provides a cross-check that no controls have been inadvertently omitted.
-
6
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
6
Content
● Requirements for SoA● ISO 27001 Annex A● Domains / Objectives / Controls● Creating a SoA
-
7
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
7
ISO 27001 Annex A (1)
Remember:ISO 27001 Annex A is normative
-
8
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
8
ISO 27001 Annex A (2)
Control objectives and controls from these tables shall be selected as part of the ISMS process
Annex A is not exhaustive. Additional control objectives and controls may be necessary
-
9
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
9
ISO 27001 Annex A (3)
Annex A
InfoSecPolicy
RATP SoA
provides input to...
Audits
-
10
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
10
Content
● Requirements for SoA● ISO 27001 Annex A● Domains / Objectives / Controls● Creating a SoA
-
11
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
11
Domains/Controls/Objectives
Annex A consists of
– 11 domains– 39 control objectives– 134 controls
-
12
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
12
Example (1)
Domain A.7 Asset Management
A.7.2 Information Classification
To ensure that informationreceives an appropriate level ofprotection
A.7.2.1 Classification Guidelines A.7.2.2 Information labeling
and handling
Control Objective
Controls
-
13
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
13
Example (2)
A.7.2.1 Classification Guidelines
Control: Information shall be classified in terms of its value, legal requirements, sensitivity and criticality to the organization
A.7.2.2 Information labeling and handling
Control: An appropriate set of procedures for information labeling and handling shall be developed and implemented in accordance with the classification scheme adopted by the organization
-
14
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
14
Domains
A.5 Security PolicyA.6 Organization of information securityA.7 Asset ManagementA.8 Human resources securityA.9 Physical and environmental securityA.10 Communications and operations mangementA.11 Access ControlA.12 Information systems aquisition, development and
maintenanceA.13 Information security incident managementA.14 Business continuity managementA.15 Compliance with legal requirements
-
15
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
15
Objectives (1)
A.5 Security Policy
- Information Security Policy
A.6 Organization of information security
- Internal organization - External parties
A.7 Asset management
- Responsibility for assets - Information classification
-
16
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
16
Objectives (2)
A.8 Human resources security
- Prior to employment - During employment - Termination or change of employment
A.9 Physical and environmental security
- Secure areas - Equipment security
-
17
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
17
Objectives (3)
A.10 Communications and operations management
- Operational procedures and responsibilities - Third party service delivery management - System planning and acceptance - Protection against malicious and mobile code - Back-up - Network security management - Media handling - Exchange of information - Electronic commerce services - Monitoring
-
18
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
18
Objectives (4)
A.11 Access control
- Business requirement for access control
- User access management
- User responsibilities
- Network access control
- Operating system access control
- Application and information access control
- Mobile computing and teleworking
-
19
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
19
Objectives (5)
A.12 Information systems acquisition, development and maintenance
- Security requirements of information systems
- Correct processing in applications
- Cryptographic controls
- Security of system files
- Security in development and support processes
- Technical vulnerability management
-
20
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
20
Objectives (6)
A.13 Information security incident management
- Reporting information security events and weaknesses
- Management of information security incidents and improvements
A.14 Business continuity management - Information security aspects of business
continuity management
-
21
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
21
Objectives (7)
A.15 Compliance - Compliance with legal requirements
- Compliance with security policies and standards, and technical compliance
- Information systems audit considerations
-
22
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
22
Content
● Requirements for SoA● ISO 27001 Annex A● Domains / Objectives / Controls● Creating a SoA
-
23
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
23
SoA (1)
● For each of the 134 controls there shall be a statement in the SoA– How is the control implemented?
(references to documents)– If it is not implemented: Why not?
-
24
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
24
SoA (2)
● The SoA is classified as Confidential!
● The SoA is a living document– It shall be updated regularly
● The SoA is required to obtain anISO 27001 certification
-
25
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
25
Task List
1. Define Scope and Boundaries
2. Define ISMS Policy
3. Risk Assessment
4. Obtain management authorization to
implement and operate the ISMS
5. Prepare a Statement of Applicability
(SoA)
-
26
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
26
Content
● Requirements for SoA● ISO 27001 Annex A● Domains / Objectives / Controls● Creating a SoA
-
27
Info
rmat
ion
Sec
urity
Man
gem
ent
Sys
tem
Sta
tem
ent
of A
pplic
abili
ty©
Cop
yrig
ht 2
013
Fran
k W
agne
r
27
Module Topic1 Why Information Security?2 Social Engineering3 Introduction to ISMS4 Documentation5 Establishing ISMS6 Risk Management7 Statement of Applicability8 Implementation and Operation of ISMS9 Information Security Awareness10 Information Security Audits
Where are we now?