2. ISO 27001-2005
Definition
ISO 27001 is a specification for an information
security management system (ISMS).
An ISMS is a framework of policies and procedures
that includes all legal, physical and technical
controls involved in an organisation's information
risk management processes.
3. Agenda
• 11 Domains of ISO 27001- 2005
• Benefits of ISO 27001 to you & your Clients
• Lessons Learned
• Discussion, Questions
4. 27001-2005 11 Domains
1. Security Policy
2. Organization of Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisition, Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance
5. 1. Security Policy
Information Security Policy
Provide management direction and support for
information security in accordance with business
requirements and relevant laws and regulations.
6. 2. Organization of Information Security
Internal Organization
Objective: To manage information security within the
organization.
External Parties
Objective: To maintain the security of the organization’s
information and information processing facilities that are
accessed, processed, communicated to, or managed by
external parties.
7. 3. Asset Management
Responsibility For Assets
Achieve and maintain appropriate protection of
organizational assets.
Information Classification
Ensure that information receives an appropriate level of
protection.
8. 4. Human Resources Security
Prior to Employment
To ensure that employees, contractors and third party users
understand their responsibilities, and are suitable for the
roles they are considered for, and to reduce the risk of theft,
fraud or misuse of facilities.
During Employment
To ensure that all employees, contractors and third party users
are aware of information security threats and concerns, their
responsibilities and liabilities
Termination or Change of Employment
To ensure that employees, contractors and third party users exit
an organization or change employment in an orderly manner.
9. 5. Physical and Environmental Security
Secure Areas
Prevent unauthorized physical access, damage and
interference to the organization’s premises and
information.
Equipment Security
Prevent loss, damage, theft or compromise of assets and
interruption to the organization’s activities.
10. 6. Communications and Operations
Management
Operational procedures and responsibilities
Ensure the correct and secure operation of information processing facilities.
Third party service delivery management
Implement and maintain the appropriate level of information security and
service delivery in line with third party service delivery agreements.
System planning and acceptance
Minimize the risk of systems failures.
Protection against malicious and mobile code
Protect the integrity of software and information.
Back-up
Maintain the integrity and availability of information and information
processing facilities.
11. 6. Communications and Operations
Management Continued…
Network security management
Protection of information in networks and the protection of the supporting
infrastructure.
Media handling
Prevent unauthorized disclosure, modification, removal or destruction of
assets, and interruption to business activities.
Exchange of information
Maintain the security of information and software exchanged within an
organization and with any external entity.
Electronic commerce services
Ensure the security of electronic commerce services, and their secure use.
Monitoring
Detect unauthorized information processing activities.
12. 7. Access Control
Business Requirement For Access Control
Control access to information.
User Access Management
Ensure authorized user access and to prevent unauthorized access to information
systems.
User Responsibilities
Prevent unauthorized user access, and compromise or theft of information and
information processing facilities.
Network Access Control
Prevent unauthorized access to networked services.
Operating System Access Control
Prevent unauthorized access to operating systems.
Application and Information Access Control
Prevent unauthorized access to information held in application systems.
Mobile Computing and Teleworking
Ensure information security when using mobile computing and
teleworking facilities.
13. 8. Information Systems Acquisition, Development
and Maintenance
Security Requirements of Information Systems
Ensure that security is an integral part of information systems.
Correct Processing in Applications
Prevent errors, loss, unauthorized modification or misuse of information in
applications.
Cryptographic Controls
Protect the confidentiality, authenticity or integrity of information by cryptographic
means.
Security of System Files
Ensure the security of system files.
Security in Development and Support Processes
Maintain the security of application system software and information.
Technical Vulnerability Management
Reduce risks resulting from exploitation of published technical vulnerabilities.
14. 9. Information Security Incident Management
Reporting Information Security Events and Weaknesses
Objective: To ensure information security events and weaknesses
associated with information systems are communicated in a manner
allowing timely corrective action to be taken.
Management of Information Security Incidents and
Improvements
Objective: To ensure a consistent and effective approach is applied
to the management of information security incidents.
15. 10. Business Continuity Management
Information Security Aspects of Business Continuity
Management:
Counteract interruptions to business activities and to protect
critical business processes from the effects of major failures
of information systems or disasters and to ensure their timely
resumption.
16. 11. Compliance
• Legal Requirements
• Security Policies and Standards
• Technical Compliance
• Information Systems Audit Considerations
17. Lessons Learned
• Employ a third party auditor to create your initial IMS
manual.
• If you have more than one ISO accreditation or intend
gaining more than one accreditation, apply for all at
the same time and incorporate them all in one
manual.
• Don’t use peoples names in the IMS just positions.
• SOP’s should be just that, try and ensure that you
have one set Group wide.
18. Lessons Learned continued…
• Get your team on board from the outset, help them
understand the importance of gaining and
maintaining these accreditation’s.
• Do your internal audits 6 months before your
External Audit.
• Review all documentation annually.
• Ensure the accreditations work for you and not the
other way around.