Date post: | 13-May-2015 |
Category: |
Technology |
Upload: | ana-meskovska |
View: | 1,940 times |
Download: | 4 times |
If you don’t want to help yourself,
no one can
System for
Information Security
Jasmina [email protected]
ELSA ConferenceStrumica, 27.11.2008
If you don’t want to help yourself,
no one can
Contents
• What is ISO27001?
• What is management system?
• Methodology for implementation of ISO27001:2005
– Asset management
– Risk management
– Policies and procedures development
– Internal audit
• ISO 27001 certification
If you don’t want to help yourself,
no one can
Introduction to ISO27001:2005
If you don’t want to help yourself,
no one can
Introduction to ISO 27001
• ISO 27001 is international standard for
Information Security Management System
(ISMS)
• ISO 27001 – Information technology – Security
techniques – Information Security Management
System – Requirements
• Latest version - 2005
If you don’t want to help yourself,
no one can
What is a management system?
• Management system is documented system of
policies, objectives and standard practices for
achieving those objectives.
• Organizations use management systems through:
– Organizational structure
– Systematic processes and related recourses
– Measurements and methodology for evaluation
– Management review
– Corrective and preventive actions
If you don’t want to help yourself,
no one can
What is ISO 27001:2005?
• International, structured methodology dedicated to
information security
• Defined processes for evaluation, implementation,
maintenance and management of information
security
• Overall set of controls based on best practices for
information security
• Developed by the industry for itself
If you don’t want to help yourself,
no one can
What isn’t ISO 27001:2005?
• Technical standard
• Connected to a technology or a product
• Methodology for evaluation of equipment like Common Criteria / ISO 15408
• Connected to "Generally Accepted System Security Principles“ – GASSP
• Connected to "Guidelines for the Management of IT Security“ - GMITS/ISO TR 13335
If you don’t want to help yourself,
no one can
• Introduction
• Scope
• Normative references
• Definitions
• Requirements
Annexes:
• Normative – Control objectives and controls
• Informative – OECD principles
• Informative – comparison with ISO9001, ISO14000
Structure of the standard ISO27001:2005
If you don’t want to help yourself,
no one can
ISO 27001 control objectives and controls
1. Security policy 2. Organizing information security 3. Asset management 4. Human resources security 5. Physical & environmental security 6. Communications & operations management 7. Access control 8. Information systems acquisition, development &
maintenance 9. Information security incident management 10. Business continuity management 11. Compliance
If you don’t want to help yourself,
no one can
PDCA approach: Plan-Do-Check-Act
If you don’t want to help yourself,
no one can
Benefits
• Increased information security
• Competitive advantage
• Customer satisfaction
• Globally accepted standard
• Focuses on responsibilities of employees
• Compliant with the legislation and other regulations - Law on classified information- Law on personal data protection- BASEL II- Sarbanes Oxley
• Complementary with other ISO standard
If you don’t want to help yourself,
no one can
Methodology for implementation of ISO27001:2005
If you don’t want to help yourself,
no one can
Methodology for implementation of ISO27001:2005 1/2
ISMS ScopeAllocation of resources
Top management
Step 1: Top Management
Commitment – Definition of Scope
Project CharterProject TeamProject resources
Step 2: Start Project
ISMS PolicyISMS Organization
StructureISMS Scope
Step 3: Definition of Information
Security Policy and Organization
Asset InventoryProcess Model, Scope, Existing documentation
Step 4: Identify and Classify the
Assets
Risk AssessmentAsset InventoryScope
Step 5: Identity and Assess the
Risks
Risk Management & SoARisk Assessment
Step 6: Plan for Risk Treatment & Selection of Controls
PHASE
1
PHASE
2
Trening:ISO27001:2005 implementation
Man
agem
en
t Ap
pro
val fo
r Level o
f A
cceptab
le R
isk &
Selected
co
ntro
ls
If you don’t want to help yourself,
no one can
Definition of policies
• Policy – a course of conduct to be followed
• Structure of the policy
– Purpose
– Scope
– Legal commitments
– Strategic approach
– Responsibilities
– Revision of the policy
– Implementation of the policy
If you don’t want to help yourself,
no one can
Legal compliance
• Law on personal data protection• Law on classified information• E-Commerce Law• Law for data in electronic form and electronic
signature• Law on Copyright and related rights• Law on industrial property• Law on electronic communications• Law on communications monitoring• Law on free access to public information• Criminal code
If you don’t want to help yourself,
no one can
Asset management
• Identification of assets
• Grouping of assets
• Preparation of asset inventory
• Grouping of information assets
• Definition of level of confidentiality
• “Classification” of information assets
• Defining asset management strategy
If you don’t want to help yourself,
no one can
Risk management
• Choose appropriate risk assessment methodology
• Form a team for conduction of risk assessment
• Conduct a risk assessment
– Identify possible threats to the identified assets
– Calculate the risk factors (taking into consideration probability of risk, vulnerability of assets etc.)
– Define acceptable level of risk
– Risk treatment – select mitigation approach (acceptance, mitigation, transfer)
• Choose appropriate controls and prepare a plan for their implementation
If you don’t want to help yourself,
no one can
Methodology for implementation of ISO27001:2005 2/2
ISMS Manual Risk Management & SoA
Step 8: Development of policies
and procedures
Plan for implementation of the
QMS
ISMS Manual, Specific Policies, supporting
procedures
Step 9: Plan for implementation
of the ISMS
Internal Audit PlanInternal Audit Report
ISMS Manual,Implemented ISMS
Step 10: First Internal Audit
Management Review Notes
ISMS ManualInternal Audit Report
Step 11: First Management
Review
Corrective / Preventive Action Report
ISMS Manual, Internal Audit Report,
Management Review Notes
Step 12: Implementation of
Corrective / Preventive Actions
Pre-certification assessment report
Quality Manual,Implemented QMS
Step 13: Pre-certification Audit
Communication and promotion plan
ISMS ManualCertification Audit Report
Step 14: Certification Follow-up &
Promotion
PHASE
3
PHASE
4
PHASE
5
PHASE
6
Trening:ISO27001:2005Internal Audit
Trening:ISMS awareness for
all employees
Client Input is key, C
lient P
repares the P
rocedures
GAP Assessment Report
Step 7: GAP Assessment
ISMS Scope
If you don’t want to help yourself,
no one can
Development of procedures
• Procedure - an ordered set of tasks for performing some action
• Structure of procedures– Purpose
– Scope
– Responsibility and authority
– Description of activities
– Records
– Enforcement
– Review
– Approval
If you don’t want to help yourself,
no one can
Internal audit
• Process of independent and objective assessment
• Includes systematic methodology for business process modeling, problem analyses and recommendation of solutions
• Collects evidence for objective assessment for effectiveness of management systems
• The objective of such audit is to find the shortcomings and weaknesses of management systems and to identify possibility for their improvement
If you don’t want to help yourself,
no one can
Internal audit vs. Certification audit
• Auditors – employees
• Looks for non-conformities in order to improve the system
• It is conducted minimum once a year for all processes
• Auditors – external persons
• Looks for conformities in order to certify the system
• It is conducted once or twice a year for some aspects
If you don’t want to help yourself,
no one can
Control of documents and records
• Requirement of the standard
– storage: approval, availability, versioning
– protection and control
– traceability
• Challenge – how to satisfy requirement of the legislation for archiving of documents and records
If you don’t want to help yourself,
no one can
ISO 27001 certification
If you don’t want to help yourself,
no one can
Compliance vs. Certification
• Any organization is able to claim compliance with the ISO 27001 standard
• It is more valuable for such claims to be independently verified as part of a formal certification scheme
• ISO 27001 certified organization
– must comply with the standard
– must be assessed by Registered Certification Body
If you don’t want to help yourself,
no one can
What is certification?
• Certification refers to the confirmation of certain characteristics of an object, person, or organization
• Certification of information security management system of an organization means acknowledgment that the organization has implemented a management system that satisfies the requirements of ISO 270001
• Certification is voluntary
• The certificate is public document
• List of certified organizations can be found on www.xisec.com
If you don’t want to help yourself,
no one can
Benefits from the certification
• Opportunity for identification and improvement of weaknesses
• Commitment from the top management
• Independent review of your Information Security Management System (ISMS)
• Raises confidence among partners, clients and interested parties (certification shows 'due diligence')
• Awareness raising among employees
• Mechanism for measuring the effectiveness of the management system
If you don’t want to help yourself,
no one can
Questions
?