powerpoint presentation · iso27001 what you need to know presented by rick jones head of it...

ISO27001 What you need to know

Presented by Rick JonesHead of IT Security Consultancy, British Telecom

Truth – Bad things happen

Questions for organisations

How can I plan properly and spend money on the right defences

How can I give my customers & suppliers more confidence to trade with me

How can I gain more control – to reduce the number of security incidents

How can I be more confident about the security of my data

Some kind of measurement or prioritisation system ?

Some kind of certificate or qualification?

Some kind of Early Warning system?

Some kind of Security Framework?

Security frameworks - the contenders ?

ISO27001 Information security management system

Big in Europe and Asia, relatively inexpensive, highly regarded, wide recognition, certification path

SAS70 type II audits

Report on an organisation’s processes

Big in US, expensive, disruptive, useful for satisfying SOX compliance

COBIT Set of best practices for IT

Big in US, highly regarded, strong links to 27001, cannot be certified to it

ITIL Set of concepts and policies for IT

Together with ISO20000 there is growing interest in this standard

Security policies

Set of standards for your organisation

Tailored, self-governed, not recognised externally

ISO27001 - Background

What is ISO27001 …

• It’s an information security management standard• It provides a model for setting up and running an effective

Information Security Management System (ISMS)• It has worldwide recognition – over 5,000 certificates awarded • It is designed around 133 security controls • It’s big on risk management • And it’s strong on governance• It is awarded to organisations who can prove they protect

data in accordance with the standard

ISO27001 – Protecting data

• Confidentiality means the data is safely stored so it can only be accessed by people who have a right to see it

• Integrity means the data cannot be altered by any unauthorised person

• Availability means the data is always available to those who have a right to see it

Simply, this means ensuring the Confidentiality, Integrity & Availability of the data

ISO27001 – Getting started

• Senior Manager buy-in Funding & resources

• Scope Agree what is going to be covered by the certificate

• Governance Set up a security forum

ISO27001 – Security forum• The forum are responsible for

all the 27001 activities, so agree some Terms of Reference

• Chairman / secretary • Minutes are essential• Agree a Timeline for all the

27001 activities• Membership of 6 people works

a lot better than 12 • Senior enough to make

decisions about risks • All parts of the scope need to

be represented

Challenges• Can become a

talking shop• People don’t

bother attending• Scope creep• People don’t do

their action points

ISO27001 Plan – Do – Check – ActPLAN – Establish the ISMS - Get authorisation- Define the scope & boundary- Define the ISMS policy- Define the risk assessment

approach- Identify, analyse and evaluate

the risks- How are the risks going to be

treated- Identify which controls are used

to treat the risks- Sign off the residual risks- Prepare a Statement of

Applicability

DO - Implement & operate the ISMS- Start to manage the operation of the ISMS- Risk Treatment Plan- Implement the security controls- Define how to measure the effectiveness of

the controls- Training and awareness - Response to security events and incidents

CHECK - Monitor & review the ISMS- Start to review the effectiveness of the ISMS- Internal audit schedule - Measure the effectiveness of the controls - Review risk assessments- Update the security plans

ACT - Maintain & improve the ISMS- Implement

improvements- Take appropriate

corrective and preventive action

- Communication plan- Do the improvements

achieve the intended objectives

How much pain is ISO27001?

ISO27001 – Biggest challenge

Risk Management … The entire standard revolves around your risks

- Impact

- Probability

ISO27001 – The external assessment

• Stage 1 – looks at the ISMS to ensure it is fit for purpose

• Stage 2 – looks in more detail at how the security controls have been implemented

• Does not look for security perfection – rather it’s looking for how Security is being managed

ISO27001 – Future requirements

You cannot stand still…• 6 monthly surveillance audits• Full re-certification every 3 years• Organisation has to show evidence

of continual improvement• Schedule of internal audits is

required• Organisation has to measure the

effectiveness of the security controls • Everything has to be evidenced• Formal annual management review• Security forum meet every few

weeks

ISO27001 – Killer facts

Benefits & advantages of ISO27001…• It helps BT to position its bids: ISO27001 satisfies many

questions from customers about BT’s security • Having an independent auditor verify the strength of our security

story helps to position BT’s response to legal & regulatory questions – on Sarbanes-Oxley, PCI, Turnbull, etc

• We use ISO27001 as an alternative to expensive SAS70 type II audits – for some key clients such as PepsiCo, Credit Suisse & Citigroup

• We use ISO27001 to restrict the number of customer audits on BT sites

• BT has 26 certificates covering around 90 sites and services

• Contracts with a requirement for ISO27001 are worth over £6bn

Thank you Any Questions?

Version: 1-2 Date: 22 March 2010Owner: Rick Jones [email protected]

Head of Information Security Consultancy

mailto:[email protected]

powerpoint presentation · iso27001 what you need to know presented by rick jones head of it...

Documents