Connect with A-lign

Stay tuned - The webinar will begin at 2PM EST

Presenter

Gene Geiger, CPA, CISSP, PCIP, QSA, ISO 27k LADirector at A-lign

• An Overview of ISO 27001• Certification Preparation• Steps to Certification• Ongoing Maintenance• Q & A

Agenda

• Risk Driven Standard• BS 7799 – 1990’s• ISO 27001:2005• ISO 27001:2013

History of ISO 27001

Understanding ISO 27001

• Security Framework– Living processes– Monitors & improves information security– Requires management involvement– Requires ongoing activities– Requires evidence from ISMS activities

Understanding ISO 27001

• Key Terms/Concepts– Information security management system– Plan-do-check-act– Risk assessment– Statement of applicability– Continuous improvement– Management of security system & other

compliance standards

Polling Question 1

What is the most important component of an ISMS?

A. Management Involvement

B. Documented Policies

C. Defining the Scope

Why Conform With ISO 27001

• Conformance vs. Compliance• International Operations/Customers• Meet Contractual Obligations• Gain Competitive Advantage• Evaluate Security Practices

• 27001 ISMS Specifications• 27002 Controls• 27003 Implementation Guide• 27004 Metrics• 27005 Risk Management• 27006 Certification Guide• 27007 Auditing Guide• 27008 Technical Auditing

Overview of ISO 27000 Suite

ISO 27000 Suite

Polling Question 2

Which ISO 27000 standard is an organization certified against?

A. 27002

B. 27007

C. 27001

D. 27004

ISO 27001 ComponentsOrganizational Context & Stakeholders

Information Security Leadership & High-Level Support for Policy

Planning an ISMS; Risk Assessment; Risk Treatment

Supporting an ISMS

Making an ISMS Operational

Reviewing the System's Performance

Corrective Action

ISO 27001 Components

A.5 Information Security Policies

A.6 Organization of Information Security

A.7 Human Resource Security

A.8 Asset Management

A.9 Access Control

A.10 Cryptography

A.11 Physical & Environmental Security

A.12 Operations Security

ISO 27001 Components

A.13 Communications Security

A.14 System Acquisition, Development & Maintenance

A.15 Supplier Relationships

A.16 Information Security Incident Management

A.17Information Security Aspects of Business Continuity Management

A.18 Compliance

Certification Preparation

• Management commitment & approval

• Define ISMS scope & boundaries

• Information security requirements analysis

• Conduct risk assessment & treatment plan

• Design the ISMS• Six to nine months

ISO 27003 Information technology — Security Techniques Information security management system implementation guidance

• Selecting Certification Body– Accredited– Unaccredited– Independence

• Scheduling Audit– Stage 1 audit– Stage 2 audit

• Calculating On-Site Time

Steps to Certification

Polling Question 3

It is best to have your certification auditor help you develop your ISMS.

A. True

B. False

• Certification Received– Three year

• Surveillance Audit– Years 2 & 3– Timing

• Revocation/Suspension

Steps to Certification

• Previous Audit Concerns– External audits– Certification audits– Internal audits

• Internal Audit– Selecting the team

• Management Review– Not a check-the-box process

Ongoing Maintenance

• Continual Improvement– Policies/processes/technology– Measure it

• Changes in the Environment• Complaints/Issues Tracking

Ongoing Maintenance

Polling Question 4

A Dedicated Internal Audit Department is not required to be ISO 27001 certified.

A. True

B. False

• Understand the Level of Effort• Obtain Outside Training• Communicate with your CB• Be Proactive

Recommendation

Questions

gene.geiger@a-lign.com

888-575-7450