If you don’t want to help yourself,

no one can

System for

Information Security

Jasmina Trajkovskijasmina.trajkovski@tpconsulting.com.mk

Ana Meskovskaana.meskovska@tpconsulting.com.mk

ELSA ConferenceStrumica, 27.11.2008

If you don’t want to help yourself,

no one can

Contents

• What is ISO27001?

• What is management system?

• Methodology for implementation of ISO27001:2005

– Asset management

– Risk management

– Policies and procedures development

– Internal audit

• ISO 27001 certification

If you don’t want to help yourself,

no one can

Introduction to ISO27001:2005

If you don’t want to help yourself,

no one can

Introduction to ISO 27001

• ISO 27001 is international standard for

Information Security Management System

(ISMS)

• ISO 27001 – Information technology – Security

techniques – Information Security Management

System – Requirements

• Latest version - 2005

If you don’t want to help yourself,

no one can

What is a management system?

• Management system is documented system of

policies, objectives and standard practices for

achieving those objectives.

• Organizations use management systems through:

– Organizational structure

– Systematic processes and related recourses

– Measurements and methodology for evaluation

– Management review

– Corrective and preventive actions

If you don’t want to help yourself,

no one can

What is ISO 27001:2005?

• International, structured methodology dedicated to

information security

• Defined processes for evaluation, implementation,

maintenance and management of information

security

• Overall set of controls based on best practices for

information security

• Developed by the industry for itself

If you don’t want to help yourself,

no one can

What isn’t ISO 27001:2005?

• Technical standard

• Connected to a technology or a product

• Methodology for evaluation of equipment like Common Criteria / ISO 15408

• Connected to "Generally Accepted System Security Principles“ – GASSP

• Connected to "Guidelines for the Management of IT Security“ - GMITS/ISO TR 13335

If you don’t want to help yourself,

no one can

• Introduction

• Scope

• Normative references

• Definitions

• Requirements

Annexes:

• Normative – Control objectives and controls

• Informative – OECD principles

• Informative – comparison with ISO9001, ISO14000

Structure of the standard ISO27001:2005

If you don’t want to help yourself,

no one can

ISO 27001 control objectives and controls

1. Security policy 2. Organizing information security 3. Asset management 4. Human resources security 5. Physical & environmental security 6. Communications & operations management 7. Access control 8. Information systems acquisition, development &

maintenance 9. Information security incident management 10. Business continuity management 11. Compliance

If you don’t want to help yourself,

no one can

PDCA approach: Plan-Do-Check-Act

If you don’t want to help yourself,

no one can

Benefits

• Increased information security

• Competitive advantage

• Customer satisfaction

• Globally accepted standard

• Focuses on responsibilities of employees

• Compliant with the legislation and other regulations - Law on classified information- Law on personal data protection- BASEL II- Sarbanes Oxley

• Complementary with other ISO standard

If you don’t want to help yourself,

no one can

Methodology for implementation of ISO27001:2005

If you don’t want to help yourself,

no one can

Methodology for implementation of ISO27001:2005 1/2

ISMS ScopeAllocation of resources

Top management

Step 1: Top Management

Commitment – Definition of Scope

Project CharterProject TeamProject resources

Step 2: Start Project

ISMS PolicyISMS Organization

StructureISMS Scope

Step 3: Definition of Information

Security Policy and Organization

Asset InventoryProcess Model, Scope, Existing documentation

Step 4: Identify and Classify the

Assets

Risk AssessmentAsset InventoryScope

Step 5: Identity and Assess the

Risks

Risk Management & SoARisk Assessment

Step 6: Plan for Risk Treatment & Selection of Controls

PHASE

1

PHASE

2

Trening:ISO27001:2005 implementation

Man

agem

en

t Ap

pro

val fo

r Level o

f A

cceptab

le R

isk &

Selected

co

ntro

ls

If you don’t want to help yourself,

no one can

Definition of policies

• Policy – a course of conduct to be followed

• Structure of the policy

– Purpose

– Scope

– Legal commitments

– Strategic approach

– Responsibilities

– Revision of the policy

– Implementation of the policy

If you don’t want to help yourself,

no one can

Legal compliance

• Law on personal data protection• Law on classified information• E-Commerce Law• Law for data in electronic form and electronic

signature• Law on Copyright and related rights• Law on industrial property• Law on electronic communications• Law on communications monitoring• Law on free access to public information• Criminal code

If you don’t want to help yourself,

no one can

Asset management

• Identification of assets

• Grouping of assets

• Preparation of asset inventory

• Grouping of information assets

• Definition of level of confidentiality

• “Classification” of information assets

• Defining asset management strategy

If you don’t want to help yourself,

no one can

Risk management

• Choose appropriate risk assessment methodology

• Form a team for conduction of risk assessment

• Conduct a risk assessment

– Identify possible threats to the identified assets

– Calculate the risk factors (taking into consideration probability of risk, vulnerability of assets etc.)

– Define acceptable level of risk

– Risk treatment – select mitigation approach (acceptance, mitigation, transfer)

• Choose appropriate controls and prepare a plan for their implementation

If you don’t want to help yourself,

no one can

Methodology for implementation of ISO27001:2005 2/2

ISMS Manual Risk Management & SoA

Step 8: Development of policies

and procedures

Plan for implementation of the

QMS

ISMS Manual, Specific Policies, supporting

procedures

Step 9: Plan for implementation

of the ISMS

Internal Audit PlanInternal Audit Report

ISMS Manual,Implemented ISMS

Step 10: First Internal Audit

Management Review Notes

ISMS ManualInternal Audit Report

Step 11: First Management

Review

Corrective / Preventive Action Report

ISMS Manual, Internal Audit Report,

Management Review Notes

Step 12: Implementation of

Corrective / Preventive Actions

Pre-certification assessment report

Quality Manual,Implemented QMS

Step 13: Pre-certification Audit

Communication and promotion plan

ISMS ManualCertification Audit Report

Step 14: Certification Follow-up &

Promotion

PHASE

3

PHASE

4

PHASE

5

PHASE

6

Trening:ISO27001:2005Internal Audit

Trening:ISMS awareness for

all employees

Client Input is key, C

lient P

repares the P

rocedures

GAP Assessment Report

Step 7: GAP Assessment

ISMS Scope

If you don’t want to help yourself,

no one can

Development of procedures

• Procedure - an ordered set of tasks for performing some action

• Structure of procedures– Purpose

– Scope

– Responsibility and authority

– Description of activities

– Records

– Enforcement

– Review

– Approval

If you don’t want to help yourself,

no one can

Internal audit

• Process of independent and objective assessment

• Includes systematic methodology for business process modeling, problem analyses and recommendation of solutions

• Collects evidence for objective assessment for effectiveness of management systems

• The objective of such audit is to find the shortcomings and weaknesses of management systems and to identify possibility for their improvement

If you don’t want to help yourself,

no one can

Internal audit vs. Certification audit

• Auditors – employees

• Looks for non-conformities in order to improve the system

• It is conducted minimum once a year for all processes

• Auditors – external persons

• Looks for conformities in order to certify the system

• It is conducted once or twice a year for some aspects

If you don’t want to help yourself,

no one can

Control of documents and records

• Requirement of the standard

– storage: approval, availability, versioning

– protection and control

– traceability

• Challenge – how to satisfy requirement of the legislation for archiving of documents and records

If you don’t want to help yourself,

no one can

ISO 27001 certification

If you don’t want to help yourself,

no one can

Compliance vs. Certification

• Any organization is able to claim compliance with the ISO 27001 standard

• It is more valuable for such claims to be independently verified as part of a formal certification scheme

• ISO 27001 certified organization

– must comply with the standard

– must be assessed by Registered Certification Body

If you don’t want to help yourself,

no one can

What is certification?

• Certification refers to the confirmation of certain characteristics of an object, person, or organization

• Certification of information security management system of an organization means acknowledgment that the organization has implemented a management system that satisfies the requirements of ISO 270001

• Certification is voluntary

• The certificate is public document

• List of certified organizations can be found on www.xisec.com

If you don’t want to help yourself,

no one can

Benefits from the certification

• Opportunity for identification and improvement of weaknesses

• Commitment from the top management

• Independent review of your Information Security Management System (ISMS)

• Raises confidence among partners, clients and interested parties (certification shows 'due diligence')

• Awareness raising among employees

• Mechanism for measuring the effectiveness of the management system

If you don’t want to help yourself,

no one can

Questions

?