powerpoint presentation · iso27001 what you need to know presented by rick jones head of it...
TRANSCRIPT
ISO27001 What you need to know
Presented by Rick JonesHead of IT Security Consultancy, British Telecom
Questions for organisations
How can I plan properly and spend money on the right defences
How can I give my customers & suppliers more confidence to trade with me
How can I gain more control – to reduce the number of security incidents
How can I be more confident about the security of my data
Some kind of measurement or prioritisation system ?
Some kind of certificate or qualification?
Some kind of Early Warning system?
Some kind of Security Framework?
Security frameworks - the contenders ?
ISO27001 Information security management system
Big in Europe and Asia, relatively inexpensive, highly regarded, wide recognition, certification path
SAS70 type II audits
Report on an organisation’s processes
Big in US, expensive, disruptive, useful for satisfying SOX compliance
COBIT Set of best practices for IT
Big in US, highly regarded, strong links to 27001, cannot be certified to it
ITIL Set of concepts and policies for IT
Together with ISO20000 there is growing interest in this standard
Security policies
Set of standards for your organisation
Tailored, self-governed, not recognised externally
Security frameworks - the contenders ?
ISO27001 Information security management system
Big in Europe and Asia, relatively inexpensive, highly regarded, wide recognition, certification path
SAS70 type II audits
Report on an organisation’s processes
Big in US, expensive, disruptive, useful for satisfying SOX compliance
COBIT Set of best practices for IT
Big in US, highly regarded, strong links to 27001, cannot be certified to it
ITIL Set of concepts and policies for IT
Together with ISO20000 there is growing interest in this standard
Security policies
Set of standards for your organisation
Tailored, self-governed, not recognised externally
ISO27001 - Background
What is ISO27001 …
• It’s an information security management standard• It provides a model for setting up and running an effective
Information Security Management System (ISMS)• It has worldwide recognition – over 5,000 certificates awarded • It is designed around 133 security controls • It’s big on risk management • And it’s strong on governance• It is awarded to organisations who can prove they protect
data in accordance with the standard
ISO27001 – Protecting data
• Confidentiality means the data is safely stored so it can only be accessed by people who have a right to see it
• Integrity means the data cannot be altered by any unauthorised person
• Availability means the data is always available to those who have a right to see it
Simply, this means ensuring the Confidentiality, Integrity & Availability of the data
ISO27001 – Getting started
• Senior Manager buy-in Funding & resources
• Scope Agree what is going to be covered by the certificate
• Governance Set up a security forum
ISO27001 – Security forum• The forum are responsible for
all the 27001 activities, so agree some Terms of Reference
• Chairman / secretary • Minutes are essential• Agree a Timeline for all the
27001 activities• Membership of 6 people works
a lot better than 12 • Senior enough to make
decisions about risks • All parts of the scope need to
be represented
Challenges• Can become a
talking shop• People don’t
bother attending• Scope creep• People don’t do
their action points
ISO27001 Plan – Do – Check – ActPLAN – Establish the ISMS - Get authorisation- Define the scope & boundary- Define the ISMS policy- Define the risk assessment
approach- Identify, analyse and evaluate
the risks- How are the risks going to be
treated- Identify which controls are used
to treat the risks- Sign off the residual risks- Prepare a Statement of
Applicability
DO - Implement & operate the ISMS- Start to manage the operation of the ISMS- Risk Treatment Plan- Implement the security controls- Define how to measure the effectiveness of
the controls- Training and awareness - Response to security events and incidents
CHECK - Monitor & review the ISMS- Start to review the effectiveness of the ISMS- Internal audit schedule - Measure the effectiveness of the controls - Review risk assessments- Update the security plans
ACT - Maintain & improve the ISMS- Implement
improvements- Take appropriate
corrective and preventive action
- Communication plan- Do the improvements
achieve the intended objectives
ISO27001 – Biggest challenge
Risk Management … The entire standard revolves around your risks
- Impact
- Probability
ISO27001 – The external assessment
• Stage 1 – looks at the ISMS to ensure it is fit for purpose
• Stage 2 – looks in more detail at how the security controls have been implemented
• Does not look for security perfection – rather it’s looking for how Security is being managed
ISO27001 – Future requirements
You cannot stand still…• 6 monthly surveillance audits• Full re-certification every 3 years• Organisation has to show evidence
of continual improvement• Schedule of internal audits is
required• Organisation has to measure the
effectiveness of the security controls • Everything has to be evidenced• Formal annual management review• Security forum meet every few
weeks
ISO27001 – Killer facts
Benefits & advantages of ISO27001…• It helps BT to position its bids: ISO27001 satisfies many
questions from customers about BT’s security • Having an independent auditor verify the strength of our security
story helps to position BT’s response to legal & regulatory questions – on Sarbanes-Oxley, PCI, Turnbull, etc
• We use ISO27001 as an alternative to expensive SAS70 type II audits – for some key clients such as PepsiCo, Credit Suisse & Citigroup
• We use ISO27001 to restrict the number of customer audits on BT sites
• BT has 26 certificates covering around 90 sites and services
• Contracts with a requirement for ISO27001 are worth over £6bn
Thank you Any Questions?
Version: 1-2 Date: 22 March 2010Owner: Rick Jones [email protected]
Head of Information Security Consultancy