#113 – Building an ISMS based on ISO/IEC 27001 an ISMS based on ISO/IEC 27001 & ISO/IEC 17799...

transcript

“I will work in

concert with

my peers.”

#113 – Building an ISMSbased on ISO/IEC 27001

Peter R. Bitterli, CISAhttp://www.bitterli-consulting.chprb@bitterli-consulting.ch

Please observe the copyright: You are allowed to use and

further distribute this presentation only with this copyright

notice attached. If you use parts of this documentation in

presentations or other diagrams you have to refer to the source.

Any commercial use of this presentation is only allowed with

written consent of the author.

AbstractBuilding an ISMS based on ISO/IEC 27001 & ISO/IEC 17799

Almost every IT security professional has heard or read about BS7799-2 and/or

ISO 17799. Many have used the ISO 17799 to their advantage for designing,

implementing or even auditing information security – some have used it for writing

security policies and others actually for performing risk analysis. BS7799-2 (now

ISO 27001), however, is less known and its contents are often misunderstood.

ISO 27001 clearly defines how an Information Security Management System

(ISMS) should look like, describing actually the major security management

processes any company should have in place. This session explains the differences

between the “twin standards” ISO 27001 and ISO 17799, concentrating mostly on

the ISMS. It clearly shows how existing security organizations and security

management processes fit in such an ISMS and what steps your company should

take if you want to professionalize your information security management up to the

point where you could get certified. The session also shows many pitfalls that

companies might fall in, based on the speaker’s experience both in his capacity as

an official expert supervising the accredited certification bodies and as an IT

auditor and security consultant.

Learning ObjectivesThe participants will learn about …

1. what an effective ISMS according ISO/IEC 27001 isand what mandatory elements it consists of.

2. what the main differences are between the “twinstandards” ISO/IEC 27001 and ISO/IEC 17799

3. how to improve the existing security processes to acertifiable ISMS

4. why this makes sense even if your company doesn’twant to become ISO/IEC 27001 certified

5. main lessons the speaker learned by looking atcertified and uncertified ISMS of several companies

ContentOverview

Typical unresolved security problems

From CoP to BS7799-2 to ISO 17799/27001Introduction to

ISO/IEC 27001 (elements of an ISMS)ISO/IEC 17799 (the controls)

Certification based on ISO/IEC 27001

Step by step approach to change your ISMSMajor benefits of improving your ISMSPitfalls to avoid

IntroductionPart 1

Typical unresolvedinformation securityproblems

– i.e. ISMS weaknesses

Typical ISMS Weaknesses

Problematic areasParallel internal control systems

Ineffective security organizationContradictory directives & policies

Outsourcing out of control

Ineffective IT risk management

Inadequate awareness

Poor physical security

Unresolved business continuity issues

Parallel Control SystemsIneffective systems of internal control

Many, partially parallelsystems of internalcontrols

Traditional system ofinternal controlsSecurityLegal / ComplianceData ProtectionOperational RiskManagementQuality AssuranceSafety…

Leads to:Obvious and hiddeninconsistenciesInefficient processesMembers of staff

are weary of controls

will circumvent controls

might commit passive oractive sabotage of ICS

Flood of policies…

Security OrganizationsCemented structures with high frictional loss

Many independent partiesmaintain that they are“the only one” to take careof security

Physical SecurityIT SecurityData ProtectionProduct Security(Validation)

Unfavorable reportinglines

Individual kingdoms

Leads to unclearresponsibilities, authoritiesand accountabilities:

Ambiguous responsibilities(> security gaps)Overlapping authorities(> inconsistencies, > gaps)Tasks might not be fulfilled(> gaps)Wastages (> no efficiency)Trouble with staff…

Directives and PoliciesConflicting directives and wrong use of them

Historically growndirectives & policies:

Not up to datePoor/contradictorydefinitionsUnclear verbalizationsToo much or too little isregulatedNot known to members ofstaff“Americanization” ofmanagement’s behaviour

Leads to:Flood of policies or veryselective policiesEmployee deviance:

Impossible to comply

Might negate or circumventexisting policies on purpose

Might commit passive oractive sabotage

Disengagement ofmanagement’s expectationsfrom reality…

Outsourcing (Multi-Sourcing)Unjustifiable trust and critical dependencies

(Still) increasingoutsourcing

NetworkERP packagesHousing/operating provider“Office” provider

Blind trust in outsourcingpartner

No provider auditsReliance on certificationsand attestationsUse of too small companies

Leads to:Absolute dependency onproviderGovernance problems

Strategic alignment

Efficiency

Compliance problems…

IT Risk ManagementORM will not diminish need for IT risk management

Operational riskmanagement (ORM)often far from reality:

too superficialtoo detailedtoo theoreticaltoo inflexible approach(must follow software)

No link between ORMand IT risk management

No IT risk management

Leads to:Incomplete risk landscapesUnrecognized risks withhigh severityIneffective risk manage-ment, e.g. in the area of ITsecurity…

Security AwarenessMissing security awareness increases risks

No, superficial ordiscontinuous securityawareness

Management attitudethat (additional)awareness training is notnecessary

Management itself is thebiggest problem!

Leads to:Little understanding formeasures and directivesEvery employeeindividually decides howsecure he/she wants to beCareless treatment ofcritical information andsystemsInadequate support andbudget for security…

Physical SecurityEven data centres and banks are not always really secure

Unclear perimeterClients, meeting zones,internal offices

Risks in theneighborhood

restaurants, subterraneanparking, …

Cumulation of risks“all eggs in one basket”

Non-compliance to safetyregulations

Leads to:Access of unauthorizedpersons to inner officesLeads to a wrongimpression of visiting VIPsThreat to health and livesPossible loss of completesite…

Business ContinuityInsufficient and not proven measures

Critical businessprocesses are not known

No SLAsfor normal operationsfor emergencies

No willingness ofmanagement for

analysisdocumentationand reduction

of processes

Leads to:Missing awareness onmanagement levelFragmentary emergencyplanUntested sub plansIneffective measuresErratic updating of plans…

Typical IT Risk Landscape(Typical “generic” risks of a mid-sized company)

Damage potential (A)

Edaily

Dfrequently

Clikely

Bunlikely

2medium

4very high

5critical

everyday

every10 days

every100 days

every1000 days

every10.000 daysA

very unlikely

1 Number of risk

1 Half-day power loss2 Failure of outsourcing

provider3 Loss of confidentiality of

customer data4 Malicious code5 Access management6 Telebanking (Phishing)7 Patch management8 Non-compliance with

rules9 Network interrupt10 Infringements11 Loss of key personnel12 Password handling13 Application of new

technologies14 Application dependent

controls15 Unsuited BCM/BCP16 Internal sabotage

What is the Solution?

Build an information securitymanagement system (ISMS)with:

security management processesaccording ISO/IEC 27001

security measures (i.e. controls)based on ISO/IEC 17799

Maybe: have it certified

Evolution of StandardsPart 2

History of the “Code ofPractice for InformationSecurity Management” andoverview of the ISO/IEC27000 Standards Family

ISO StandardISO 27001

10.2005

ISO StandardISO 27002

British StandardBS7799-2: 2005

ISO StandardISO 17799: 2005

6.2005ISO StandardISO 17799: 2000

9.2002

12.2000

DTI Code of Practice

Shell BaselineSecurity Controls

Shell Best Practices

SRI InternationalSurvey of Industry

SRI InternationalBaseline Controls

Best Practices of BT, Marks & Spencer,

Midland, BOC, Nationwide & Unilever

Evolution of Code of Practice(Code of Practice for Information Security Management)

27000Overview

& Vocabulary

27001ISMS

Requirements

27006AccreditationRequirements

Terminology

Requirements

Guideline

27002Code ofPractice

SupportPDCA

27003Implementation

Guidance

27004ISM

Measurements

27005Risk Management

27007 ?ISMS AuditGuidelines

13335-xICT

Security -3

15947IDS Framework

18043IDS

Management

18028-xNetwork

Security - 1

18044Incident

ManagementControlImplemen-

tation and others ...

published

ISO/IEC 27000 FamilyBuilding an Information Security Management System

to bepublished

Source: Peter Weiss, Zurich

Major contents of an ISMSPart 3

Brief explanation ofISO/IEC 27001

ScopeBuilding an effective Information Security Management System

ISO/IEC 27001 specifies the requirementsfor establishing, implementing, operating,monitoring, reviewing, maintaining andimproving a documented ISMS within thecontext of the organization’s overallbusiness risks.It specifies requirements for the implemen-tation of security controls customized to theneeds of individual organizations or partsthereof.

Source: ISO/IEC 27001 Chapter 1 Scope

ContentsISO/IEC 27001 (formally known as BS7799-2)

0 Introduction1 Scope2 Normative references3 Terms and definitions4 Information Security Management System5 Management responsibility6 Internal ISMS audits7 Management review of the ISMS8 ISMS improvement– Annexes

Establish theISMS

Monitor andreview the ISMS

Maintain and

improve the ISM

DO ACT

ISMS – PDCA ModelBuilding an effective Information Security Management Systems

Establish theISMS

Maintain and

improve the ISM

Accept residual risks

Select controls(from 17799)

Decide on risk treatment

Carry out risk assessment

Define ISMS scope &policy

Establish the ISMSBuilding an effective Information Security Management System

Riskmanagement

Implementtraining/awareness

Define effectivenessmeasurement of controls

Manage operations &resources of the ISMS

Implement controls

Formulate & implementrisk treatment plan Establish the

Maintain and

improve the ISM

DO ACT

Implement and Operate ISMSBuilding an effective Information Security Management System

Riskmanagement

Conduct internal ISMS audits andmanagement reviews

Update security plan

Review risk assessments

Measure effectiveness ofcontrols

Regularly revieweffectiveness of ISMS

Execute monitoringprocedures

Establish theISMS

Maintain and

improve the ISM

DO ACT

Monitor and Review ISMSBuilding an effective Information Security Management System

Riskmanagement

Ensure improvementsachieve objectives

Communicate results

Take corrective andpreventive actions

Implement improvementsEstablish the

Maintain and

improve the ISM

DO ACT

Maintain and Improve ISMSBuilding an effective Information Security Management System

Security ControlsPart 4

Brief explanation ofISO/IEC 17799 (willbecome ISO/IEC 27002)

ContentsISO/IEC 17799 (soon to become ISO/IEC 27002)

1 Scope 2 Terms and definitions 3 Structure of standards 4 Assessment and treatment of risks 5 Security policy 6 Organisation of information security 7 Asset management 8 Human resource security 9 Physical and environmental security10 Communications and operations management11 Access control12 Information systems acquisition, development and maintenance13 Information security incident management14 Business continuity management15 Compliance

General informationOrganizational issuesTechnical issues

Security PolicyISO/IEC 17799 (soon to become ISO/IEC 27002)

Term “information security”

Definition of objectives

Enterprise-specific security requirements

Responsibilities

Regular updates

Policy

Security concept(Baseline protection)

Guidelines

Organisation of SecurityISO/IEC 17799 (soon to become ISO/IEC 27002)

Security organisationSecurity committeeCoordination of all securityconcernsResponsibilitiesApproval of IT installationsSpecialist know-howThird party cooperationIndependent securityassessment

Security in third partycompanies

Identification of risksSecurity on the customer’ssiteSecurity requirements incontracts

Management of Inf. AssetsISO/IEC 17799 (soon to become ISO/IEC 27002)

ResponsibilitiesInventoryAssignment to“owners”Acceptable use policy

ClassificationClassification policyLabelling and handling

Human Resources SecurityISO/IEC 17799 (soon to become ISO/IEC 27002)

During employmentManagement responsibilitiesAwareness education andtrainingDisciplinary process

Change/termination ofemployment

Termination responsibilitiesReturn of assetsRemoval of access rights

Prior to employmentRolls and responsibilitiesBackground checksTerms and conditions ofemployment

Physical/Environmental SecurityISO/IEC 17799 (soon to become ISO/IEC 27002)

Secure areasSecurity perimeterEntry controlsSecuring offices, rooms andfacilitiesProtection against externaland environmental threatsWorking in secure areasDelivery and loading areas

Equipment securitySitePower supplyCablingMaintenanceOff-premises usageDisposalRemoval of property

Communication and OperationsISO/IEC 17799 (soon to become ISO/IEC 27002)

Operating procedures and responsibilitiesThird-party servicesPlanning and acceptance of systemsProtection against malicious codeBackupNetwork security managementMedia handlingExchange of information and softwareE-commerce servicesMonitoring

Access ControlISO/IEC 17799 (soon to become ISO/IEC 27002)

Business requirements for accesscontrol

Administration of access rights

User responsibilities

Network access control

Operating system access control

Application access control

Mobile computing / teleworking

Systems Acquisition,Development and MaintenanceISO/IEC 17799 (soon to become ISO/IEC 27002)

Definition of securityrequirements

Correct processing inapplications

Input, processing,authentication, output

Cryptographic controlsConceptEncryption

Security of system files

Security in developmentand support processes

Technical vulnerabilitymanagement

Incident ManagementISO/IEC 17799 (soon to become ISO/IEC 27002)

Reporting information security incidentsand weaknesses

Management of information securityincidents and improvements

Business ContinuityISO/IEC 17799 (soon to become ISO/IEC 27002)

Information security aspects in BCM

Business continuity and risk management

Development and implementation of businesscontinuity plans

Planning framework

Testing, maintaining and reassessing businesscontinuity plans

ComplianceISO/IEC 17799 (soon to become ISO/IEC 27002)

Compliance with legalrequirements

Applicable lawIntellectual propertyrightsRecordsData protection /privacyPrevention of misuseRegulation ofcryptographic controls

Compliance withpolicies and standards

PoliciesCompliance withtechnical standards

Systems auditAudit procedureProtection of tools

Organizationalissues

Technicalissues

5. Securitypolicy

6. Organization ofinformation security

7. Assetmanagement

11. Accesscontrol

8. Human resourcessecurity

9. Physical andenvironmental security

12. Systems acquisition,development and

maintenance

10. Communicationsand operationsmanagement

14. Businesscontinuity

management

15. Compliance

based on: Callio

Grouping of Main ChaptersISO/IEC 17799 (soon to become ISO/IEC 27002)

13.Information securityincident management

Accreditation & CertificationPart 5

Brief explanation ofaccreditation andcertification processes basedon ISO/IEC 27001 andISO/IEC 27006 (draft)

Terms (I)Used in the context of accreditation & certification

Complianceis a self-assessment carried out by theorganization in order to verify whether a systemthat has been implemented complies with astandard.

Certification (Registration)is conferred by an accredited certification bodywhen an organization successfully completes anindependent audit, thus certifying that themanagement system meets the requirements of aspecific standard, e.g. ISO/IEC 27001.

Terms (II)Used in the context of accreditation & certification

RemarkA company may comply with ISO/IEC 17799, butcertification is only possible with ISO/IEC 27001.

Accreditationconsists of the means by which an authorizedorganization (the accreditation body) officiallyrecognizes the authority of a certification body toevaluate, certify and register an organization’sISMS with regard to published standards.

AccreditationBody (AB)

Overview over TermsAccreditation and certification

CertifiedCompany

CertificationBody (CB)

CertifiedCompany

accreditscertifies

certifies

CertifiedCompany

certifies

CertifiedCompany

certifies

CertifiedCompany

certifies

CertifiedCompany

certifi

http://www.european-accreditation.orgwww.iaf.nu

accredits

http://www.xisec.com

ScopingOnly the “area” within the defined scope will be certified

Source: www.ceem.com

CertificatesExamples

ISO 9001

ISO 14001ISO 27001 (originally: BS 7799-2 ISMS)

BS 15000 / ISO 20000…

BSI: British Standard InstituteISO: International Organization for StandardizationIEC: International Electrotechnical OrganizationISO/IEC JTC1: Joint Technical Committee

Aktuelle Zertifizierungen CH

Source: www.iso27001certificates.comDownload on 2.2.2007

Certification Audit (I)Audit process of accredited certifier

Stage 1

Review of ISMSDocumentation

ScopeISMS PolicyRisk reportRisk treatmentStatement ofApplicabilityCore elements of ISMS

Stage 2

Visit to the company

Review of complianceSecurity policiesSecurity objectivesProceduresISMS

conform to ISO 27001

achieves securityobjectives (as inISO 17799)

Certification Audit (II)Audit process of accredited certifier

Results of stage 2Nonconformities

majorminor

Observations

ReportAudit team reports to CB

Company comments and specifies improvements

CB confirms corrections

Surveillance Audit… of certification body (CB)

Periodic

Often enoughNon-conformities must be corrected withinagreed time span

If not: reduction, suspension or recall ofcertification

Internal AuditInternal ISMS audit by the certified company itself

In planned intervals

Review, whether ISMS …complies to ISO 27001 requirementscomplies with relevant laws and regulations

has been implement in an effective way

is being maintained

does what is expected

Re-CertificationRe-assessment by the original certification body (CB)

Normally every three years

Purpose to verify the continuing compliance toISO 27001 requirementsIn general this comprises:

Verification that approved ISMS is stillimplemented

Review of all changes to the ISMS

Confirmation of compliance to ISO 27001,ISO 17799Internal maintenance (audit, security review,management review, preventive/corrective actions)

Accreditation of CBThe auditor is audited too

Certified company

accredits

certifies

Requirements:

ISO Guide 62 (and EN 45012):general Requirements/criteriafor Accreditation: applicable forISO 9001, ISO 14001, BS7799-2

EA 7/03 states more preciselyGuide 62 in relation to ISMSaudits (will become ISO 27006)

ISO 19001: Criteria for auditors’competence

Implementing an ISMSPart 6

Step by step approach tochange your existing non-formal ISMS to a ISO/IEC27001-like ISMS that couldbe formally certified

DO ACT

Our ISMS ApproachIn 30 steps twice around the PDCA circle to gain momentum

Establish theISMS (phase I)

(phase I)

Maintain and

improve the ISM

S(phase I)

Establish theISMS (phase II)

(phase II)

Maintain and

improve the ISM

S(phase II)

Goal of an ISMS

An Information Security ManagementSystem is designed to ensure the selection ofadequate and proportionate securitycontrols that protect information assets andgive confidence to interested parties.

Establish theISMS

Maintain and

improve the ISM

Define ISMS scope &policy

Riskmanagement

Define the Scope“Easy” steps to implement an ISMS: Step 1

Even if you don’t aim for certification, youshould define the scope of your ISMS. Startslowly and enlarge your scope as youprogress in maturity, e.g start with:

headquarters

those departments with high business risks

highly regulated areas of your company

But first: define responsibilities, authorities& accountabilities

Establishthe ISMS

Define High-level Policy“Easy” steps to implement an ISMS: Step 2

Define a overall ISMS policy that …includes a framework for setting objectives andestablishes an overall sense of direction andprinciples for information security

takes into account business and legal orregulatory requirements and contractualsecurity obligations

aligns with the organization’s strategic riskmanagement

has been approved by management

Source: ISO/IEC 27001 Chapter 4.2.1 Establish the ISMS

Establishthe ISMS

Define Areas of Applicability“Easy” steps to implement an ISMS: Step 3

Not all 133 controls need to be implementedas they are not all relevant and applicable

Therefore: put together a list of thosecontrols …

that cover:legal and regulatory requirementscontractual obligationsorganization’s business requirements

or are necessary because of the risk assessmentand risk treatment process (steps 4a – 4c)

Establishthe ISMS

Maturity & Risk Assessment“Easy” steps to implement an ISMS: Step 4a

Perform a controls self assessment (CSA)in combination with a “quick & dirty”risk assessment:

Go through all of the 133 controls

Rate the “maturity level” of these controls

Rate the severity if an incident would happenthat is (should be) covered by the respectivecontrol

Remark: The purpose of the shown “quick & dirty” risk assessment approach is toget the whole ISMS improvement process going. It must be later replaced by aformally defined risk assessment and risk treatment plan as mentioned in step 20 ofthe shown approach.

Establishthe ISMS

Example of CSA“Easy” steps to implement an ISMS: Step 4b

6.1 6.2

10.810.910.10 11.111.2

15.1 15.2

Current maturity level(green area)

Room for improvement

Maturity level aimed at (3)

Maximum maturity level (4)

Establishthe ISMS

CSA Combined with Severity“Easy” steps to implement an ISMS: Step 4c

Comment: Shown ratings are for demonstration purposes only

Urgent need for improvement !

Areas where controlsare necessary but effective

Possible savingsLow priority

Establishthe ISMS

Conformity Requirements“Easy” steps to implement an ISMS: Step 5

Check whether the exclusion of certaincontrols is acceptable (obtain managementapproval of residual risk).

Comment: For certification, the exclusion ofcertain controls is only acceptable if theseexclusions do no affect the organization’s abilityand/or responsibility to provide informationsecurity that meets the security requirementsdetermined by risk assessment and applicablelegal or regulatory requirements.

Establishthe ISMS

Implement controls

Maintain and

improve the ISM

DO ACT

Riskmanagement

Implement Risk Treatment“Easy” steps to implement an ISMS: Step 6

Instead of the required detailed risktreatment plan start with the followingpragmatic approach:

For all controls identified in step 4c as “Urgentneed for improvement” (quadrant I) implementthe respective controls as shown in ISO/IEC17799 (i.e. as good/best practices)

Rate the effectiveness of these controls indirectlyby re-measuring the “maturity level”

Improve Security Awareness“Easy” steps to implement an ISMS: Step 7

Start marketing security primarily towards(senior) management

Show radar chart of step 4b

Show severity assessment of step 4c

Start asking about personal nightmares

Show management typical situations such asmentioned in introduction

Security Resources“Easy” steps to implement an ISMS: Step 8

Identify current resources for informationsecurity

Security officers, security engineers (list parttimers separately)

Collect same information from your peers

Start asking for more resources, argue with:Increasing legal/regulatory requirements

Recent incidents from own organization

Incidents in headlines

Comparisons with peers

Establish theISMS

Maintain and

improve the ISM

DO ACT

Riskmanagement

Identify Security Incidents“Easy” steps to implement an ISMS: Step 9

Start collecting information on …attempted and successful breaches of security

any other security incidentscurrent threat situation (i.e. viruses, spam, …)

Start a “security round table” withrepresentatives from …

Operations

Help Desk / 2nd Level Support

Security

(IT) Risk Management

Security Reviews“Easy” steps to implement an ISMS: Step 10

Start with first reviews of the effectivenessof (selected parts) of the ISMS, e.g.

where incidents occurred

where audit reports showed deficiencies

where incidents could have a high severity(quadrant I in step 4c)

where your personal experience points topossible room for improvement (professionaljudgement)

Security Plans“Easy” steps to implement an ISMS: Step 11

Formulate concrete security plans (i.e.security programs) with necessaryimprovement activities based on:

Best practices controls (step 6)

Security incidents

Results of security reviews

Communicate results

Maintain and

improve the ISM

DO ACT

Implement Improvements“Easy” steps to implement an ISMS: Step 12

Implement with high emphasis identifiedimprovement measures as shown in securityprogram:

Keep track of progress

Maintain and

improve the ISM

Communication“Easy” steps to implement an ISMS: Step 13

Communicate progress to stakeholders

Maintain and

improve the ISM

DO ACT

Intermediate PhaseIn 30 steps twice around the PDCA circle to gain momentum

Establish theISMS (phase I)

(phase I)

Maintain and

improve the ISM

S(phase I)

Establish theISMS (phase II)

(phase II)

Maintain and

improve the ISM

S(phase II)

Improve Documentation (I)“Easy” steps to implement an ISMS: Step 14a

For phase II you must improve the qualityof the ISMS documentation:

Records of management decisions

Actions are traceable to management decisions

Recorded results must be reproducible

Demonstrate relationship from selected controlsback to results from risk assessment and risktreatment process

Improve Documentation (II)“Easy” steps to implement an ISMS: Step 14b

ISMS documentation shall include:Documented statements of the ISMS policy andobjectivesScope of ISMS

Procedures and controls in support of the ISMS

Description of the risk assessment methodology

Risk assessment report

Risk treatment plan

Documented security management procedures

Statement of Applicability

Source: ISO/IEC 27001 Chapter 4.3 Documentation Requirements

Improve Documentation (III)“Easy” steps to implement an ISMS: Step 14c

Protect and control ISMS documentation:Approve documents for adequacy prior to use

Review, update and then re-approve documentsChanges and current revision status ofdocuments are identified

Ensure documents are available to those whoneed them

Ensure controlled distribution

Prevent use of obsolete documents

Source: ISO/IEC 27001 Chapter 4.3 Documentation Requirements

Control of Records“Easy” steps to implement an ISMS: Step 15

Establish records to provide evidence ofconformity to requirements and theeffective operations of the ISMS:

Need to be protected and controlled

Take into account relevant legal or regulatoryrequirements and contractual obligations

Must be retrievable

Controls for “record management” must bedocumented themselves

Source: ISO/IEC 27001 Chapter 4.3.3 Control of records

Management Commitment“Easy” steps to implement an ISMS: Step 16

Management shall provide evidence ofcommitment to the establishment, imple-mentation, operation, monitoring, review,maintenance and improvement of the ISMS

Establish policy, roles & responsibilities

Communicate the importance of security

Provide sufficient resources

Decide criteria for accepting risks

Ensure internal ISMS audits and managementreviews

Define ISMS scope &policy Establish the

ISMS(phase II)

Maintain and

improve the ISM

Riskmanagement

Broaden the Scope“Easy” steps to implement an ISMS: Step 17

Try to broaden the scope from …within IT

headquartersthose departments with high business risks

the highly regulated areas of your company

to the whole organization.

Establishthe ISMS

Streamline Policies“Easy” steps to implement an ISMS: Step 18a

Based on the defined overall ISMS policyreview and streamline all other directives,policies and guidelines that concerninformation in any form (electronicallystored, processed, printed, written,transmitted, spoken).

Clear up definitions

Remove contradictions and redundancies

Remove all parts not necessary

Establishthe ISMS

Streamline Policies“Easy” steps to implement an ISMS: Step 18b

Hint: Be aware that there is no standard terminology

Establishthe ISMS

Verify Areas of Applicability“Easy” steps to implement an ISMS: Step 19

Check whether the subset of the 133controls that were implemented in the firstphase needs to be enlarged based onchanges in scope or risks.Establish

the ISMS

Formal Risk Assessment (I)“Easy” steps to implement an ISMS: Step 20a

Improve your current risk assessment andtreatment to a more mature process:

Formalize risk assessment methodology

Determine criteria for risk acceptance

Identify assets within scope of ISMS and theowners of the assets

Identify threats to those assetsIdentify vulnerabilities that might be exploited

Identify impact of those vulnerabilities

Source: ISO/IEC 27001 Chapter 4.2.1 Establish ISMS

Establishthe ISMS

Formal Risk Assessment (II)“Easy” steps to implement an ISMS: Step 20b

Improve your current risk assessment andtreatment to a mature process (cont.):

Analyze and evaluate the risks

Identify and evaluate options for the treatmentof risks

Select control objectives and controls fortreatment of risksObtain management approval of residual risks

Establishthe ISMS

Source: ISO/IEC 27001 Chapter 4.2.1 Establish ISMS

17 188

Severity

Edaily

Doften

Cprobable

Bimprobable

2medium

4very high

5critical

every day

every10 days

every100 days

every1000 days

every10,000 days

Ahighly improbable

Risk 16: Remote Access Vulnerabilitieswill be reduced by security program elements:A: Remote Access Server, Single Sign-OnB: AwarenessC: Regulations (Contract management, policies)

(Example for demonstration purposes only *)

Formal Risk Assessment (III)“Easy” steps to implement an ISMS: Step 20c

Establishthe ISMS

Implement controls

I)Monitor and

review the ISMS

Maintain and

improve the ISM

DO ACT

Riskmanagement

Implement Risk Treatment“Easy” steps to implement an ISMS: Step 21

Determine detailed risk treatment plan:Identify options for risk treatment

Apply appropriate controlsKnowingly and objectively accept risks (provided theyclearly satisfy the organization’s policies and criteriafor accepting risks)Check whether additional controls (e.g. not listed inISO/IEC 17799) need to be implemented

Determine how progress will be assessed

Further Security Awareness“Easy” steps to implement an ISMS: Step 22

Start with a formal information securityawareness campaign that aims forcompetent staff

Analyze target audience

Decide an overall goals, contents, approaches

Develop security marketing campaign

In any case, implement:formal classroom based training (users, IT, …)a combination of other delivery channels

Develop and implement metrics

Rollout and monitor the campaign

Get more Security Resources“Easy” steps to implement an ISMS: Step 23a

Based on security program of phase II,estimate required resources for informationsecurity

Always ask for about 20% more resourcesthan needed, argue with:

Still increasing legal/regulatory requirements

Results of risk assessment performed

Many ongoing security programs

More incidents in headlines

List of intangible benefits (see next page)

Intangible Security Benefits“Easy” steps to implement an ISMS: Step 23b

Benefits affectingclients and partners:

Higher qualityProven availabilityBroader functionalityMore flexibility…

Benefits affectingorganization:

BrandSkills & knowledgeTrainingLeadership & CultureGrowth & opportunities…

Establish theISMS

(phase II)

Maintain and

improve the ISM

DO ACT

Riskmanagement

Improve Incident Management“Easy” steps to implement an ISMS: Step 24

Incident management is considered to be acritical success factor of an ISMS; i.e. needsto be highly effective

Processes for reporting events established

Correct behaviour needs to be known

Feedback should be provided

Disciplinary process necessary

Link to problem managementPrevention should be a high priority, too!

Security Compliance Reviews“Easy” steps to implement an ISMS: Step 25

Perform security compliance reviews of theeffectiveness of (selected parts) of the ISMS,e.g.

where you have invested $$ for improvements

where risk assessment shows lack of controls

where management attention is insufficient

where quick improvements are possible

If possible, look for objective securitymetrics

Management Reviews“Easy” steps to implement an ISMS: Step 26

Perform management review (once a year)of ISMS to ensure its continuing suitability,adequacy and effectiveness; include:

Results of ISMS audits and reviews

Status of preventive and corrective actions

Results from effectiveness measurement

Come to a decision and take action:Improvement of effectiveness

Update of risk assessment and treatment plan

Modification of controls that affect informationsecurity

Status Monitoring“Easy” steps to implement an ISMS: Step 27

Communicate results

Maintain and

improve the ISM

S(phase II)

DO ACT

Continuing Improvements“Easy” steps to implement an ISMS: Step 28

Identify nonconformities and their causes

Evaluate need for further actionsDetermine and implement corrective action

Record result of action taken

Aim for prevention, i.e. identify potentialnonconformities

Maintain and

improve the ISM

Accelerate Communication“Easy” steps to implement an ISMS: Step 29

Communicate actions and improvements toall interested parties with a level of detailappropriate to the circumstances

Ask for agreement on how to proceedImplement quarterly top managementsecurity status report (“dashboard)

Maintain and

improve the ISM

Aim for Certification“Easy” steps to implement an ISMS: Step 30

If not yet done: Formally decide oncertification

Perform gap analysis for certification(ISO/IEC 27001 & ISO/IEC 17799)Implement “certification rollout program”

Maintain and

improve the ISM

BenefitsPart 7

Discussion of some of themajor benefits of improvingyour ISMS to a matureISMS

Support of OECD PrinciplesBuilding an effective Information Security Management System

Awareness of need for information security

Responsibility for information securityPrevent, detect and respond to incidents

Ethics respecting interests of othersInformation security compatible withessential values of a democratic society

Risk management providing levels ofassurance towards acceptable risksSecurity incorporated in systems

Continuous improvement Source: Peter Weiss, Zurich

Other BenefitsEvery company has an ISMS – but most have an ineffective one

An improved ISMS …lowers probability of major security incidents

decreases severity of low probability scenariosremoves contradictions, bottlenecks and blindspots

improves security awareness

lets you invest your $$$ more effective

demonstrates proper stewardship

gets the auditors off your back

lets you sleep well

Pitfalls to avoidPart 9

Some pitfalls to avoidduring such animprovement process

Pitfalls to avoid (I)Building an effective Information Security Management System

Give the ISMS improvement project to aperson that

has no security experience

is a security engineer (a techie)

has been to long in your company

is not a good communicator

is too junior or too old

>>> and you will fail!

Pitfalls to avoid (II)Building an effective Information Security Management System

No backing from executive management

Unclear authorities & accountabilitiesNot enough funding for 2–3 years

Not enough human resourcesToo short time span for results

“Play hockey instead of curling”Underestimate corporate culture

Believe that operational risk managementwill solve your security issues

For More Information:

Peter R. Bitterli, CISA

Bitterli Consulting AG & ITACS Training AG

prb(at)bitterli-consulting.ch

“I will work in

concert with

my peers.”

Thank you!

#113 – Building an ISMS based on ISO/IEC 27001 an ISMS based on ISO/IEC 27001 & ISO/IEC 17799...

Documents