SlideShare une entreprise Scribd logo

Khachab-Top Management role to implement ISO 27001

Mohamad Khachab
Mohamad Khachab
1  sur  33
Télécharger pour lire hors ligne
Top Management Role in Implementing ISO/IEC 27001 Mohamad Khachab, MBA, PECB Certified Trainer, ISO 27001 LI, ISO 27005 RM January 27, 2016 1
Mohamad Khachab Lecturer, Management Consultant Mr. Mohamad Khachab has 30 years of professional experience in management consultancy, project management, teaching/training, IT Procurement, preparing proposals, information risk management, research, developing bidding documents, and business development activities. 703-962-0793 khachabmy@ics4business.com www.ics4business.com linkedin.com/in/mohamadkhachab
Top Management Role in Implementing ISO/IEC 27001 Agenda • Introduction • ISO 27001 Standard • Structure & Controls • Costs • PDCA Mode • Data Qualities • Management Planning • Decision Making factors • Implementation Project Phases 3PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Introduction • All about “Tone at the Top” • Strategic & healthy atmosphere • TQM is a long term strategy • Enterprise-wide awareness • Senior management involvement • Education/training (facts only, statistical methods, no myth) • Decision making techniques PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 4
ISO 27001 • ISO 27001 requires a company to establish, implement, and maintain a continuous improvement approach to manage its ISMS. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 5
ISO 27001 Standard 1. Scope of the standard 2. How the document is referenced 3. Reuse of the terms and definitions in ISO/IEC 27000 4. Organizational context and stakeholders 5. Information security leadership and high-level support for policy 6. Planning an information security management system; risk assessment; risk treatment 7. Supporting an information security management system 8. Making an information security management system operational 9. Reviewing the system's performance 10. Corrective action Annex A: List of controls and their objectives. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 6
ISO 27001 Standard ISO 27001:2013 details 114 controls or security measures organized into 14 groups: • Information security policies (2 controls) • Organization of information security (7 controls) • Human resource security - 6 controls that are applied before, during, or after employment • Asset management (10 controls) • Access control (14 controls) • Cryptography (2 controls) • Physical and environmental security (15 controls) • Operations security (14 controls) • Communications security (7 controls) • System acquisition, development and maintenance (13 controls) • Supplier relationships (5 controls) • Information security incident management (7 controls) • Information security aspects of business continuity management (4 controls) • Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls) 7PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Costs Are driven by risk perception and how much risk the organization is prepared to accept. Four costs to consider by management: 1- Internal resources 2- External resources 3- Certification 4- Implementation PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 8
PDCA Model 9PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Process Objectives Easy understanding and implementation Desired results: - Time and cost savings in mind. - Management Review of processes. 10PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Data Qualities • Confidentiality – Ensure information is accessible only to those authorized to have access • Integrity – Safeguard the accuracy and completeness of information and processing methods. • Availability – Ensure that authorized users have access to information and assets when required. 11PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
What is your organization Like? • I want you to think in terms of: – Culture – Management practice – Formal processes – Maturity of TQM processes – Strategies and business planning – Internal Audit function – IT Department and customer satisfaction • Senior managers decisions making rational? 12PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Do you have a TQM Strategy? TQM strategies vary from one organization to another, but there must be a set of primary elements present: • Top management has identified TQM as one of the organizations’ long term and competitive strategies and is committed to it. 13 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Management Planning Vital to the success of implementation are two critical functions: 1. Effective input and early involvement of The Internal Audit Dept contribute to: effective development of implementation strategy, and management review (contribution) during certification stages. 14 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Management Planning (Cont.) 2. IT Department will have to dedicate resources and time to the ISO 27001 implementation project. Many Constraints and questions: - Are there other IT compliance initiatives? - Procedures & policies (in-works)? - How mature are the existing IT processes and controls? - Are they aligned with the ISO 27001 Requirements? 15PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Enterprise Wide Project Other business departments play an important role in the ISMS implementation. 16PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Decision Making Factors A number of factors influence when and how to implement a standard: – Business Objectives and priorities – Existing IT maturity levels – User acceptability and awareness – Internal audit capability – Contractual obligations – Customer requirements – Ability to adapt to change – Adherence to internal processes – Existing compliance efforts and legal requirements – Existing training programs 17PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Implementation Roadmap • Initial Approach • Management Support • Scoping • Planning • Communications • Risk Assessment • Controls Selection • Documentation • Testing • Successful Certification PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 18
Advise - Address risks and opportunities rather than preventive action. - Stress on maintaining documented information rather than the information record. - Set objectives. - Monitor performance and develop metrics. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 19
ISO 27001 Suggested Steps • Define an ISMS Policy. • Define the scope of the ISMS. • Perform a security risk assessment. • Manage the identified risk. • Select controls to be implemented and applied. • Prepare an SOA. 20PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Identify Business Objectives • You should know your interested parties (stakeholders). • Identify and prioritize objectives to gain management support. • Objectives are identified from business documents as: Mission, Strategic Plan and IT Business Plan. 21PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Identify Business Objectives • Increase marketing reach. • Assurance to business partners and customers. • Increased revenue and profitability • Assets identification • Effective risk assessment • Preserve organization’s reputation • Compliance with government and industry regulators 22PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Obtain Management Support Includes initiatives as: • Information security policy exist. • Information security objectives and plans. • Roles & Responsibilities Information security matrix exist. • Communicating the importance of adherence to information security policies to the whole organization. • Sufficient resources identified (manage, develop, maintain, and implement the ISMS). • Determination of the acceptable risk level. • Periodic management reviews of the ISMS. • Assurance of proper training to affected personnel by the ISMS. • Appointment of competent personnel accordingly in their assigned roles & duties. 23PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Implementation Scope Standard requires listing scope exclusions and reasons. When setting scope, consider: - The selected scope helps achieve the identified business objectives. - Organization’s overall scale of operations to determine the process’ complexity level. - # of employees, business processes, # locations, products, and services offered. - What areas, locations, assets or technologies will be controlled by the ISMS. - Does the ISMS apply to suppliers? - Are there dependencies on other organizations? - Any regulatory or legislative standard applicable ? 24PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Define a Risk Assessment Method Risk assessment method must be defined and documented. Things to consider: • Which method used to assess the risk? • Which risks are intolerable? and must be mitigated. • Manage the residual risk! 25PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Prepare Inventory of Information Assets Management has to prioritize assets (to be protected) according to risk classification plus record owners, location, criticality and replacement value of assets. Three impact levels: high, medium, and low. Identify risks and classify them according to severity and vulnerability. Based on risk values, determine whether risk is tolerable? Do we need to implement a control to eliminate or reduce the risk. 26PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Create a Risk Treatment Plan • Organizations must either accept, avoid, transfer or reduce the risk to an acceptable level. • Identification of operational controls and additional proposed controls. • It is very important to obtain management approval of the proposed residual risks. • Develop a schedule of proposed control implementation. 27PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Allocate Resources & Train your Staff The ISMS process highlights one of the most important commitments for management: Resources to manage, develop, maintain, and implement the ISMS. - Auditors ask to see documentation of training. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 28
Monitor the Implementation of ISMS • Internal audit review consists of testing of controls and identifying corrective/preventive actions. • ISMS needs to be reviewed by management at periodic planned intervals. • Project Management Review: Follows changes/improvement to policies, procedures, controls and staffing decisions. • Document and maintain all results. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 29
Prepare for the Certification Audit To be certified: • Organization must conduct a full cycle of internal audits, • Management reviews and activities in the PDCA process, • Retains evidence of reviews and audits, and • Management should review risk assessments, risk treatment plans, SOA, and policies & procedures annually. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 30
Conduct Periodic Assessment Audits • ISO 27001 follows the PDCA cycle and assists management in knowing enterprise progression along the cycle. • Follow-up reviews or periodic audits confirm that the organization remains in compliance with standard. • Certification maintenance requires periodic reassessment audits to confirm that the ISMS continues to operate as specified. 31PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
Top Management Role in Implementing ISO/IEC 27001 References • http://www.isaca.org/Journal/archives/2011/Volume-4/Documents/jpdf11v4- Planning-for-and.pdf • wwwo.aston-global.com/ISO900_14_setps_to_Implementation.pdf • The Certified Manager of Quality/Organizational Excellence Handbook, Pages 293- 294 32 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
? QUESTIONS THANK YOU 703-962-0793 khachabmy@ics4business.com www.ics4business.com linkedin.com/in/mohamadkhachab

Recommandé

PECB Webinar: How to convince top management to implement ISO 27001
PECB Webinar: How to convince top management to implement ISO 27001PECB Webinar: How to convince top management to implement ISO 27001
PECB Webinar: How to convince top management to implement ISO 27001
PECB
 
PECB Webinar: Overview of the PECB ISO 55001 Training and Certification course
PECB Webinar: Overview of the PECB ISO 55001 Training and Certification coursePECB Webinar: Overview of the PECB ISO 55001 Training and Certification course
PECB Webinar: Overview of the PECB ISO 55001 Training and Certification course
PECB
 
Material Unwanted Events - Critical Control Mangement
Material Unwanted Events - Critical Control MangementMaterial Unwanted Events - Critical Control Mangement
Material Unwanted Events - Critical Control Mangement
SAMTRAC International
 
PECB Webinar: ISO 27001 in the world today. Why you should consider it?
PECB Webinar: ISO 27001 in the world today. Why you should consider it?PECB Webinar: ISO 27001 in the world today. Why you should consider it?
PECB Webinar: ISO 27001 in the world today. Why you should consider it?
PECB
 
ANNEXTURE-1 SQMCS BROCHURE DESIGN Final pdf
ANNEXTURE-1 SQMCS BROCHURE DESIGN Final pdfANNEXTURE-1 SQMCS BROCHURE DESIGN Final pdf
ANNEXTURE-1 SQMCS BROCHURE DESIGN Final pdf
Narayan Kulkarni
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
PECB
 
Building your ISO 55000 Wind Asset Management System - Introduction and Case ...
Building your ISO 55000 Wind Asset Management System - Introduction and Case ...Building your ISO 55000 Wind Asset Management System - Introduction and Case ...
Building your ISO 55000 Wind Asset Management System - Introduction and Case ...
OutSmart Independent Wind Asset Experts
 
Why Adopt ISO 45001?
Why Adopt ISO 45001?Why Adopt ISO 45001?
Why Adopt ISO 45001?
PECB
 

Recommandé

PECB Webinar: How to convince top management to implement ISO 27001
PECB Webinar: How to convince top management to implement ISO 27001PECB Webinar: How to convince top management to implement ISO 27001
PECB Webinar: How to convince top management to implement ISO 27001
PECB
 
PECB Webinar: Overview of the PECB ISO 55001 Training and Certification course
PECB Webinar: Overview of the PECB ISO 55001 Training and Certification coursePECB Webinar: Overview of the PECB ISO 55001 Training and Certification course
PECB Webinar: Overview of the PECB ISO 55001 Training and Certification course
PECB
 
Material Unwanted Events - Critical Control Mangement
Material Unwanted Events - Critical Control MangementMaterial Unwanted Events - Critical Control Mangement
Material Unwanted Events - Critical Control Mangement
SAMTRAC International
 
PECB Webinar: ISO 27001 in the world today. Why you should consider it?
PECB Webinar: ISO 27001 in the world today. Why you should consider it?PECB Webinar: ISO 27001 in the world today. Why you should consider it?
PECB Webinar: ISO 27001 in the world today. Why you should consider it?
PECB
 
ANNEXTURE-1 SQMCS BROCHURE DESIGN Final pdf
ANNEXTURE-1 SQMCS BROCHURE DESIGN Final pdfANNEXTURE-1 SQMCS BROCHURE DESIGN Final pdf
ANNEXTURE-1 SQMCS BROCHURE DESIGN Final pdf
Narayan Kulkarni
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
PECB
 
Building your ISO 55000 Wind Asset Management System - Introduction and Case ...
Building your ISO 55000 Wind Asset Management System - Introduction and Case ...Building your ISO 55000 Wind Asset Management System - Introduction and Case ...
Building your ISO 55000 Wind Asset Management System - Introduction and Case ...
OutSmart Independent Wind Asset Experts
 
Why Adopt ISO 45001?
Why Adopt ISO 45001?Why Adopt ISO 45001?
Why Adopt ISO 45001?
PECB
 
PECB Webinar: Steps to OHSAS 18001 Certification
PECB Webinar: Steps to OHSAS 18001 CertificationPECB Webinar: Steps to OHSAS 18001 Certification
PECB Webinar: Steps to OHSAS 18001 Certification
PECB
 
ISO 45001 and Organisations as Complex Adaptive Systems
ISO 45001 and Organisations as Complex Adaptive SystemsISO 45001 and Organisations as Complex Adaptive Systems
ISO 45001 and Organisations as Complex Adaptive Systems
SAMTRAC International
 
ISO 45001 Webinar, 10 March 2016
ISO 45001 Webinar, 10 March 2016ISO 45001 Webinar, 10 March 2016
ISO 45001 Webinar, 10 March 2016
Braden Dalton
 
How is ISO 45001 Related to 9001?
How is ISO 45001 Related to 9001?How is ISO 45001 Related to 9001?
How is ISO 45001 Related to 9001?
PECB
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
PECB
 
Workshop E, Extending the benefits life cycle: ISO 55000 by John Heathcote
Workshop E, Extending the benefits life cycle: ISO 55000 by John HeathcoteWorkshop E, Extending the benefits life cycle: ISO 55000 by John Heathcote
Workshop E, Extending the benefits life cycle: ISO 55000 by John Heathcote
Association for Project Management
 
Legal Register / Compliance Obligations ISO 14001
Legal Register / Compliance Obligations ISO 14001Legal Register / Compliance Obligations ISO 14001
Legal Register / Compliance Obligations ISO 14001
Nimonik
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Nimonik
 
Emerging international standards on asset asset management
Emerging international standards on asset asset managementEmerging international standards on asset asset management
Emerging international standards on asset asset management
Mike Poland, CMRP
 
ISO 9001:2015 vs Enterprise Risk Management
ISO 9001:2015 vs Enterprise Risk ManagementISO 9001:2015 vs Enterprise Risk Management
ISO 9001:2015 vs Enterprise Risk Management
PECB
 
Introducing iso 45001 iosh presentation - presenter notes
Introducing iso 45001 iosh presentation - presenter notesIntroducing iso 45001 iosh presentation - presenter notes
Introducing iso 45001 iosh presentation - presenter notes
ArunKumar Ganesan
 
CV jagroop jagpal
CV jagroop jagpalCV jagroop jagpal
CV jagroop jagpal
JagroopSinghJagpal
 
CQS_ISO 2015_ASQR (4-16-15)
CQS_ISO 2015_ASQR (4-16-15)CQS_ISO 2015_ASQR (4-16-15)
CQS_ISO 2015_ASQR (4-16-15)
Lori Cohen
 
IT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance MetricIT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance Metric
PECB
 
Qpr 8 Integrated Management System
Qpr 8 Integrated Management SystemQpr 8 Integrated Management System
Qpr 8 Integrated Management System
Iycon India
 
ISO 19600 Section 4.5 - Know your Obligations
ISO 19600 Section 4.5 - Know your ObligationsISO 19600 Section 4.5 - Know your Obligations
ISO 19600 Section 4.5 - Know your Obligations
Nimonik
 
ISA 315 (Revised) - Exposure Draft Webinar
ISA 315 (Revised) - Exposure Draft WebinarISA 315 (Revised) - Exposure Draft Webinar
ISA 315 (Revised) - Exposure Draft Webinar
International Federation of Accountants
 
Integrated Management Systems
Integrated Management SystemsIntegrated Management Systems
Integrated Management Systems
Dennis Arter
 
ACMP IOCMI Presentation Final 1 Feb
ACMP IOCMI Presentation Final 1 FebACMP IOCMI Presentation Final 1 Feb
ACMP IOCMI Presentation Final 1 Feb
Frederick Reynecke
 
Connecting Reliability & Business + ISO 55000 Framework
Connecting Reliability & Business + ISO 55000 FrameworkConnecting Reliability & Business + ISO 55000 Framework
Connecting Reliability & Business + ISO 55000 Framework
Life Cycle Engineering
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An Overview
Ahmed Riad .
 

Contenu connexe

Tendances

How is ISO 45001 Related to 9001?
How is ISO 45001 Related to 9001?How is ISO 45001 Related to 9001?
How is ISO 45001 Related to 9001?
PECB
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
PECB
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Nimonik
 
Emerging international standards on asset asset management
Emerging international standards on asset asset managementEmerging international standards on asset asset management
Emerging international standards on asset asset management
Mike Poland, CMRP
 
Introducing iso 45001 iosh presentation - presenter notes
Introducing iso 45001 iosh presentation - presenter notesIntroducing iso 45001 iosh presentation - presenter notes
Introducing iso 45001 iosh presentation - presenter notes
ArunKumar Ganesan
 
CQS_ISO 2015_ASQR (4-16-15)
CQS_ISO 2015_ASQR (4-16-15)CQS_ISO 2015_ASQR (4-16-15)
CQS_ISO 2015_ASQR (4-16-15)
Lori Cohen
 
IT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance MetricIT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance Metric
PECB
 
ACMP IOCMI Presentation Final 1 Feb
ACMP IOCMI Presentation Final 1 FebACMP IOCMI Presentation Final 1 Feb
ACMP IOCMI Presentation Final 1 Feb
Frederick Reynecke
 

Tendances (20)

PECB Webinar: Steps to OHSAS 18001 Certification
PECB Webinar: Steps to OHSAS 18001 CertificationPECB Webinar: Steps to OHSAS 18001 Certification
PECB Webinar: Steps to OHSAS 18001 Certification
 
ISO 45001 and Organisations as Complex Adaptive Systems
ISO 45001 and Organisations as Complex Adaptive SystemsISO 45001 and Organisations as Complex Adaptive Systems
ISO 45001 and Organisations as Complex Adaptive Systems
 
ISO 45001 Webinar, 10 March 2016
ISO 45001 Webinar, 10 March 2016ISO 45001 Webinar, 10 March 2016
ISO 45001 Webinar, 10 March 2016
 
How is ISO 45001 Related to 9001?
How is ISO 45001 Related to 9001?How is ISO 45001 Related to 9001?
How is ISO 45001 Related to 9001?
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
 
Workshop E, Extending the benefits life cycle: ISO 55000 by John Heathcote
Workshop E, Extending the benefits life cycle: ISO 55000 by John HeathcoteWorkshop E, Extending the benefits life cycle: ISO 55000 by John Heathcote
Workshop E, Extending the benefits life cycle: ISO 55000 by John Heathcote
 
Legal Register / Compliance Obligations ISO 14001
Legal Register / Compliance Obligations ISO 14001Legal Register / Compliance Obligations ISO 14001
Legal Register / Compliance Obligations ISO 14001
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
 
Emerging international standards on asset asset management
Emerging international standards on asset asset managementEmerging international standards on asset asset management
Emerging international standards on asset asset management
 
ISO 9001:2015 vs Enterprise Risk Management
ISO 9001:2015 vs Enterprise Risk ManagementISO 9001:2015 vs Enterprise Risk Management
ISO 9001:2015 vs Enterprise Risk Management
 
Introducing iso 45001 iosh presentation - presenter notes
Introducing iso 45001 iosh presentation - presenter notesIntroducing iso 45001 iosh presentation - presenter notes
Introducing iso 45001 iosh presentation - presenter notes
 
CV jagroop jagpal
CV jagroop jagpalCV jagroop jagpal
CV jagroop jagpal
 
CQS_ISO 2015_ASQR (4-16-15)
CQS_ISO 2015_ASQR (4-16-15)CQS_ISO 2015_ASQR (4-16-15)
CQS_ISO 2015_ASQR (4-16-15)
 
IT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance MetricIT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance Metric
 
Qpr 8 Integrated Management System
Qpr 8 Integrated Management SystemQpr 8 Integrated Management System
Qpr 8 Integrated Management System
 
ISO 19600 Section 4.5 - Know your Obligations
ISO 19600 Section 4.5 - Know your ObligationsISO 19600 Section 4.5 - Know your Obligations
ISO 19600 Section 4.5 - Know your Obligations
 
ISA 315 (Revised) - Exposure Draft Webinar
ISA 315 (Revised) - Exposure Draft WebinarISA 315 (Revised) - Exposure Draft Webinar
ISA 315 (Revised) - Exposure Draft Webinar
 
Integrated Management Systems
Integrated Management SystemsIntegrated Management Systems
Integrated Management Systems
 
ACMP IOCMI Presentation Final 1 Feb
ACMP IOCMI Presentation Final 1 FebACMP IOCMI Presentation Final 1 Feb
ACMP IOCMI Presentation Final 1 Feb
 
Connecting Reliability & Business + ISO 55000 Framework
Connecting Reliability & Business + ISO 55000 FrameworkConnecting Reliability & Business + ISO 55000 Framework
Connecting Reliability & Business + ISO 55000 Framework
 

En vedette

Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 

En vedette (10)

Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An Overview
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity Management
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management Overview
 

Similaire à Khachab-Top Management role to implement ISO 27001

Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
ISO 45001 Key Implementation Steps
ISO 45001 Key Implementation StepsISO 45001 Key Implementation Steps
ISO 45001 Key Implementation Steps
PECB
 
Qsys Profile
Qsys ProfileQsys Profile
Qsys Profile
Birendra Raturi
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
HyTrust
 
Iso 45001 2018
Iso 45001 2018Iso 45001 2018
Iso 45001 2018
Productivity Management Group
 

Similaire à Khachab-Top Management role to implement ISO 27001 (20)

Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
ISO 45001 Key Implementation Steps
ISO 45001 Key Implementation StepsISO 45001 Key Implementation Steps
ISO 45001 Key Implementation Steps
 
Intro to ISO
Intro to ISOIntro to ISO
Intro to ISO
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
QMS awareness 12th may 2015
QMS awareness 12th may 2015QMS awareness 12th may 2015
QMS awareness 12th may 2015
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 
Qsys Profile
Qsys ProfileQsys Profile
Qsys Profile
 
Certification Body Approach to ISO 9001:2015 by NQA
Certification Body Approach to ISO 9001:2015 by NQACertification Body Approach to ISO 9001:2015 by NQA
Certification Body Approach to ISO 9001:2015 by NQA
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
Internal audit day 1
Internal audit day 1Internal audit day 1
Internal audit day 1
 
ISO 9001 2015 Overview presentation
ISO 9001 2015 Overview presentation ISO 9001 2015 Overview presentation
ISO 9001 2015 Overview presentation
 
Iso 27001 lead auditor
Iso 27001 lead auditorIso 27001 lead auditor
Iso 27001 lead auditor
 
Iso 45001 2018
Iso 45001 2018Iso 45001 2018
Iso 45001 2018
 
ISO 9001:2015 Review and Why It Is Good (10/28/16)
ISO 9001:2015 Review and Why It Is Good (10/28/16)ISO 9001:2015 Review and Why It Is Good (10/28/16)
ISO 9001:2015 Review and Why It Is Good (10/28/16)
 
Topic 1 - Risk Auditing 1-17.pdf
Topic 1 - Risk Auditing 1-17.pdfTopic 1 - Risk Auditing 1-17.pdf
Topic 1 - Risk Auditing 1-17.pdf
 
Isms
IsmsIsms
Isms
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 

Khachab-Top Management role to implement ISO 27001

  • 1. Top Management Role in Implementing ISO/IEC 27001 Mohamad Khachab, MBA, PECB Certified Trainer, ISO 27001 LI, ISO 27005 RM January 27, 2016 1
  • 2. Mohamad Khachab Lecturer, Management Consultant Mr. Mohamad Khachab has 30 years of professional experience in management consultancy, project management, teaching/training, IT Procurement, preparing proposals, information risk management, research, developing bidding documents, and business development activities. 703-962-0793 khachabmy@ics4business.com www.ics4business.com linkedin.com/in/mohamadkhachab
  • 3. Top Management Role in Implementing ISO/IEC 27001 Agenda • Introduction • ISO 27001 Standard • Structure & Controls • Costs • PDCA Mode • Data Qualities • Management Planning • Decision Making factors • Implementation Project Phases 3PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 4. Introduction • All about “Tone at the Top” • Strategic & healthy atmosphere • TQM is a long term strategy • Enterprise-wide awareness • Senior management involvement • Education/training (facts only, statistical methods, no myth) • Decision making techniques PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 4
  • 5. ISO 27001 • ISO 27001 requires a company to establish, implement, and maintain a continuous improvement approach to manage its ISMS. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 5
  • 6. ISO 27001 Standard 1. Scope of the standard 2. How the document is referenced 3. Reuse of the terms and definitions in ISO/IEC 27000 4. Organizational context and stakeholders 5. Information security leadership and high-level support for policy 6. Planning an information security management system; risk assessment; risk treatment 7. Supporting an information security management system 8. Making an information security management system operational 9. Reviewing the system's performance 10. Corrective action Annex A: List of controls and their objectives. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 6
  • 7. ISO 27001 Standard ISO 27001:2013 details 114 controls or security measures organized into 14 groups: • Information security policies (2 controls) • Organization of information security (7 controls) • Human resource security - 6 controls that are applied before, during, or after employment • Asset management (10 controls) • Access control (14 controls) • Cryptography (2 controls) • Physical and environmental security (15 controls) • Operations security (14 controls) • Communications security (7 controls) • System acquisition, development and maintenance (13 controls) • Supplier relationships (5 controls) • Information security incident management (7 controls) • Information security aspects of business continuity management (4 controls) • Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls) 7PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 8. Costs Are driven by risk perception and how much risk the organization is prepared to accept. Four costs to consider by management: 1- Internal resources 2- External resources 3- Certification 4- Implementation PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 8
  • 9. PDCA Model 9PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 10. Process Objectives Easy understanding and implementation Desired results: - Time and cost savings in mind. - Management Review of processes. 10PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 11. Data Qualities • Confidentiality – Ensure information is accessible only to those authorized to have access • Integrity – Safeguard the accuracy and completeness of information and processing methods. • Availability – Ensure that authorized users have access to information and assets when required. 11PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 12. What is your organization Like? • I want you to think in terms of: – Culture – Management practice – Formal processes – Maturity of TQM processes – Strategies and business planning – Internal Audit function – IT Department and customer satisfaction • Senior managers decisions making rational? 12PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 13. Do you have a TQM Strategy? TQM strategies vary from one organization to another, but there must be a set of primary elements present: • Top management has identified TQM as one of the organizations’ long term and competitive strategies and is committed to it. 13 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 14. Management Planning Vital to the success of implementation are two critical functions: 1. Effective input and early involvement of The Internal Audit Dept contribute to: effective development of implementation strategy, and management review (contribution) during certification stages. 14 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 15. Management Planning (Cont.) 2. IT Department will have to dedicate resources and time to the ISO 27001 implementation project. Many Constraints and questions: - Are there other IT compliance initiatives? - Procedures & policies (in-works)? - How mature are the existing IT processes and controls? - Are they aligned with the ISO 27001 Requirements? 15PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 16. Enterprise Wide Project Other business departments play an important role in the ISMS implementation. 16PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 17. Decision Making Factors A number of factors influence when and how to implement a standard: – Business Objectives and priorities – Existing IT maturity levels – User acceptability and awareness – Internal audit capability – Contractual obligations – Customer requirements – Ability to adapt to change – Adherence to internal processes – Existing compliance efforts and legal requirements – Existing training programs 17PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 18. Implementation Roadmap • Initial Approach • Management Support • Scoping • Planning • Communications • Risk Assessment • Controls Selection • Documentation • Testing • Successful Certification PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 18
  • 19. Advise - Address risks and opportunities rather than preventive action. - Stress on maintaining documented information rather than the information record. - Set objectives. - Monitor performance and develop metrics. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 19
  • 20. ISO 27001 Suggested Steps • Define an ISMS Policy. • Define the scope of the ISMS. • Perform a security risk assessment. • Manage the identified risk. • Select controls to be implemented and applied. • Prepare an SOA. 20PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 21. Identify Business Objectives • You should know your interested parties (stakeholders). • Identify and prioritize objectives to gain management support. • Objectives are identified from business documents as: Mission, Strategic Plan and IT Business Plan. 21PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 22. Identify Business Objectives • Increase marketing reach. • Assurance to business partners and customers. • Increased revenue and profitability • Assets identification • Effective risk assessment • Preserve organization’s reputation • Compliance with government and industry regulators 22PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 23. Obtain Management Support Includes initiatives as: • Information security policy exist. • Information security objectives and plans. • Roles & Responsibilities Information security matrix exist. • Communicating the importance of adherence to information security policies to the whole organization. • Sufficient resources identified (manage, develop, maintain, and implement the ISMS). • Determination of the acceptable risk level. • Periodic management reviews of the ISMS. • Assurance of proper training to affected personnel by the ISMS. • Appointment of competent personnel accordingly in their assigned roles & duties. 23PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 24. Implementation Scope Standard requires listing scope exclusions and reasons. When setting scope, consider: - The selected scope helps achieve the identified business objectives. - Organization’s overall scale of operations to determine the process’ complexity level. - # of employees, business processes, # locations, products, and services offered. - What areas, locations, assets or technologies will be controlled by the ISMS. - Does the ISMS apply to suppliers? - Are there dependencies on other organizations? - Any regulatory or legislative standard applicable ? 24PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 25. Define a Risk Assessment Method Risk assessment method must be defined and documented. Things to consider: • Which method used to assess the risk? • Which risks are intolerable? and must be mitigated. • Manage the residual risk! 25PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 26. Prepare Inventory of Information Assets Management has to prioritize assets (to be protected) according to risk classification plus record owners, location, criticality and replacement value of assets. Three impact levels: high, medium, and low. Identify risks and classify them according to severity and vulnerability. Based on risk values, determine whether risk is tolerable? Do we need to implement a control to eliminate or reduce the risk. 26PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 27. Create a Risk Treatment Plan • Organizations must either accept, avoid, transfer or reduce the risk to an acceptable level. • Identification of operational controls and additional proposed controls. • It is very important to obtain management approval of the proposed residual risks. • Develop a schedule of proposed control implementation. 27PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 28. Allocate Resources & Train your Staff The ISMS process highlights one of the most important commitments for management: Resources to manage, develop, maintain, and implement the ISMS. - Auditors ask to see documentation of training. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 28
  • 29. Monitor the Implementation of ISMS • Internal audit review consists of testing of controls and identifying corrective/preventive actions. • ISMS needs to be reviewed by management at periodic planned intervals. • Project Management Review: Follows changes/improvement to policies, procedures, controls and staffing decisions. • Document and maintain all results. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 29
  • 30. Prepare for the Certification Audit To be certified: • Organization must conduct a full cycle of internal audits, • Management reviews and activities in the PDCA process, • Retains evidence of reviews and audits, and • Management should review risk assessments, risk treatment plans, SOA, and policies & procedures annually. PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 30
  • 31. Conduct Periodic Assessment Audits • ISO 27001 follows the PDCA cycle and assists management in knowing enterprise progression along the cycle. • Follow-up reviews or periodic audits confirm that the organization remains in compliance with standard. • Certification maintenance requires periodic reassessment audits to confirm that the ISMS continues to operate as specified. 31PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
  • 32. Top Management Role in Implementing ISO/IEC 27001 References • http://www.isaca.org/Journal/archives/2011/Volume-4/Documents/jpdf11v4- Planning-for-and.pdf • wwwo.aston-global.com/ISO900_14_setps_to_Implementation.pdf • The Certified Manager of Quality/Organizational Excellence Handbook, Pages 293- 294 32 PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016