The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
2. Presentation Outline
What is an ISMS
Why ISMS
Who needs ISMS
Information Security Management System – ISO/IEC
27001
ISMS – ISO 27002 Code of Practice
Protecting Information
The Certification Process
ISMS Implementation Programme
Major components of the ISMS
Benefits of Certification
Overview of ISO 27001
3. What is an ISMS
ISMS provides a framework to establish, implement,
operate, monitor, review, maintain and improve the
information security within an organization
ISMS provides means to
Manage risks to suit the business activity
Manage incident handling activities
Build a security culture
Conform to the requirements of the Standard
4. Why ISMS
Information security that can be achieved through
technical means is limited
Security also depends on people, policies, processes and
procedures
Resources are limited
It is not a once off exercise, but an ongoing activity
All these can be addressed effectively and efficiently only
through a proper ISMS
5. Who needs ISMS
Every organization which values information needs to
protect it e.g.
Banks
Call centers
IT companies
Government & parastatal bodies
Manufacturing concerns
Hospitals
Insurance companies
6. Information Security Management System
ISO 27001 formally specifies how to establish an Information
Security Management System (ISMS).
The adoption of an ISMS is a strategic decision.
The design and implementation of an organization’s ISMS is
influenced by its business and security objectives, its security risks
and control requirements, the processes employed and the size and
structure of the organization.
The ISMS will evolve systematically in response to changing risks.
Compliance with ISO27001 can be formally assessed and certified.
A certified ISMS builds confidence in the organization’s approach
to information security management among stakeholders.
7. ISMS – ISO 27002 Code of Practice
ISO27002 is a “Code of Practice” recommending a large number
of information security controls.
Control objectives throughout the standard are generic, high-level
statements of business requirements for securing or protecting
information assets.
The numerous information security controls recommended by the
standard are meant to be implemented in the context of an ISMS,
in order to address risks and satisfy applicable control objectives
systematically.
Compliance with ISO27002 implies that the organization has
adopted a comprehensive, good practice approach to securing
information.
8. Protecting Information
High dependency on Information & Communications
Technology
A successful organization must have the right information
at the right time in order to make well-informed
decisions
All types of information, whether paper-based or on a
computer disk, is at risk
Protection of information is a major challenge
PC/Network Failure, Hackers, Viruses/Spyware, Fraud,
Unknown/Unsolicited contacts
What to do? What not to do?
9. The Certification Process
ISO Guidelines ISO/IEC 27002:2007
Certification ISO/IEC 27001:2005
Stage 1 : Documentation Review & evaluate client’s
readiness
Stage 2 : Implementation audit & evaluate
effectiveness of client’s systems
Lead Auditor’s recommendation to certify
Certificate issued by certification/registration body
Surveillance
Periodic review audits(6 monthly interval)
Triennial re-certification(after 3 years)
10. Implement the Risk Treatment Plan in order to achieve
the identified control objectives, which includes
consideration of funding and allocation of roles and
responsibilities.
Implement controls selected during establishing the ISMS
to meet the control objectives.
Define how to measure the effectiveness of controls to
allows managers and staff to determine how well controls
achieve planned control objectives.
Implement security training and awareness programmes.
ISMS Implementation Programme
11. Major Component of the ISMS
Plan (establish the ISMS)
Establish ISMS policy, objectives, processes and procedures relevant to
managing risk and improving information security to deliver results in
accordance with an organization’s overall policies and objectives.
Do (implement and operate the ISMS)
Implement and operate the ISMS policy, controls, processes and procedures.
Check (monitor and review the ISMS)
Assess and, where applicable, measure process performance against ISMS
policy, objectives and practical experience and report the results to
management for review.
Act (maintain and improve the ISMS)
Take corrective and preventive actions, based on the results of the internal
ISMS audit and management review or other relevant information, to achieve
continual improvement of the ISMS.
12. Major Component of the ISMS
• The "Plan-Do-Check-Act" (PDCA)
model applies at different levels
throughout the ISMS (cycles within
cycles).
• The same approach is used for quality
management in ISO9000.
• The diagram illustrates how an ISMS
takes as input the information security
requirements and expectations and
through the PDCA cycle produces
managed information security outcomes
that satisfy those requirements and
expectations.
13. Benefits of the certification
It might seem odd to list this as the first benefit, but it often shows the
quickest “return on investment” – if an organization must comply to various
regulations regarding data protection, privacy and IT governance
(particularly if it is a financial, health or government organization), then ISO
27001 can bring in the methodology which enables to do it in the most
efficient way.
A valuable framework for resolving security issues
Enhancement of client confidence & perception of your organisation
Information security is usually considered as a cost with no obvious financial
gain. However, there is financial gain if you lower your expenses caused by
incidents. You probably do have interruption in service, or occasional data
leakage, or disgruntled employees. Or disgruntled former employees
Provides confidence that you have managed risk in your own security
implementation
Enhancement of security awareness within an organisation
Assists in the development of best practice
Can often be a deciding differentiator between competing organisations
14. Overview of ISO 27001
Clause 1 : Scope
Specifies requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving a documented ISMS
within an organization.
Specifies requirements for the implementation of security controls that
will protect information assets and give confidence to interested parties
Exclusions of controls are permitted only if they are found necessary to
satisfy the risk acceptance criteria and should be justified.
Clause 2 : Normative references
ISO/IEC 27002:2007 – Code of practice for information security
management : Provides control objectives and controls identified by a
risk assessment
Clause 3 : Terms and conditions
A list of terms and definitions that apply to the purpose of the
Standard
15. Overview of ISO 27001
Clause 4 : Information security management system
4.1 General Requirements
Processes based on the PDCA model
4.2 Establishing and managing the ISMS
4.2.1 Establish the ISMS
Define the ISMS policy as per characteristics of the business
Define the risk assessment approach
Define scope & boundaries of the ISMS
Identify the risks
Analyze and evaluate the risks
Identify and evaluate options for the treatment of risks
Select control objectives and controls for the treatment of risks
Obtain management approval of the proposed residual risks
Obtain management authorization to implement and operate the ISMS
Prepare a Statement of Applicability(SOA)
16. Overview of ISO 27001
Clause 4 : Information security management system
4.1 General Requirements
Processes based on the PDCA model
4.2 Establishing and managing the ISMS
4.2.1 Establish the ISMS
Define the ISMS policy as per characteristics of the business
Define the risk assessment approach
Define scope & boundaries of the ISMS
Identify the risks
Analyze and evaluate the risks
Identify and evaluate options for the treatment of risks
Select control objectives and controls for the treatment of risks
Obtain management approval of the proposed residual risks
Obtain management authorization to implement and operate the ISMS
Prepare a Statement of Applicability(SOA)
17. msb.intnet.mu 17
Clause 4 : Information security management system
4.2 Establishing and managing the ISMS
4.2.2 Implement and operate the ISMS
Formulate & Implement the RTP
Implement controls
How to measure effectiveness of controls
Implement training and awareness
Manage resources
Implement procedures and controls capable of enabling
prompt detection of security incidents
Overview of ISO 27001
18. msb.intnet.mu 18
Clause 4 : Information security management system
4.2 Establishing and managing the ISMS
4.2.3 Monitor and review the ISMS
Execute monitoring and reviewing procedures to detect
security incidents
Undertake regular reviews of effectiveness of the controls
Conduct internal audits
Review risk assessments regularly
4.2.4 Maintain and improve the ISMS
Apply lessons learnt from security experiences
Overview of ISO 27001
19. msb.intnet.mu 19
Clause 4 : Information security management system
4.3 Documentation requirements
4.3.1 General
ISMS Scope, policy and objectives
Procedures and controls
Risk assessment methodology & report
Risk Treatment Plan
Statement of Applicability
4.3.2 Control of documents
4.3.3 Control of Records
Clause 5 : Management Responsibility
5.1 Management commitment
5.2 Resource Management
Overview of ISO 27001
20. msb.intnet.mu 20
Clause 6 : Internal ISMS Audits
Organization shall conduct regular interval audits to determine if the control
objectives, processes and procedures :
conform to the requirements of the standard
conform to the identified security requirements
are effectively implemented and maintained
perform as expected
Clause 7 : Management Review of the ISMS
Clause 8 : ISMS Improvement
8.1 Continual improvement
8.2 Corrective action
8.3 Preventive action
Overview of ISO 27001