DSP Smart Metering Programme ISO/IEC 27001 Certification...ISO 27001 Certification . This is a 2...

© CGI Group Inc. NOT PROTECTIVELY MARKED People who know how

DSP Smart Metering Programme ISO/IEC 27001 Certification

William Bowers, DSP Chief Information Security Officer 19th June 2014

NOT PROTECTIVELY MARKED People who know how

Content / Outline

• DSP Partnership – CGI & QinetiQ

• Brief Introduction to ISO 27001 Standard and Certification

• ISO 27001 and the DSP Programme

• Gaining Certification

• Summary

2


QinetiQ and CGI DSP Partnership

• CGI and QinetiQ partnered for the DSP bid and programme • QinetiQ are providing for the DSP:

• Security expertise to develop secure policies and procedures • Achieve ISO 27001 certification • Security Health Checks • Secure Operations Centre (SOC) for security monitoring

• QinetiQ provide CGI with a level of independence and objectivity in

terms of the risk assessment, security testing and security monitoring

• Avoids “marking your own homework”

3


QinetiQ’s Security Credentials

A formidable security partner

• Ex-DERA

• Over 50 years of security heritage

• List X status with 6500 security-cleared staff

• International security experts in understanding threats and how to counter them

• Unrivalled knowledge of security technology – we know what works and where to find it

• Trusted by Governments to respect their special needs and protect their secrets

• Security partners of choice by numerous commercial companies

4


Introduction to ISO/IEC 27001

• ISO 27001 Information Security Management System is the international best practice standard for information security.

• ISO 27001:2013, the current version • Suitable for any organisation especially where the protection of

information is critical • The key security properties considered throughout the DSP ISMS are:

• Confidentiality: Protecting information from unauthorised parties; • Integrity: Protecting information from modification by unauthorised

users; • Availability: Making information available to authorised users.

5


ISO 27001 Summary

The standard includes directions for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the ISMS.

6

Presenter

Presentation Notes

Is the colour coding recognised within 27001? It may be definitions, but I would have said that Access Control can be physical (locked doors, etc) and technical (passwords, authentication)? Information Security Incident Management I would suggest is more procedural than Technical Worth understanding the distinction between Management Aspects and Procedural Aspects as I would expect that management policies are supported by operational procedures.


PLAN, DO, CHECK, ACT

7

Presenter

Presentation Notes

A ‘Plan, Do Check, Act’ cycle underpins the ISMS The ‘Plan’ phase covers designing the ISMS, assessing information security risks and selecting appropriate controls. The ‘Do’ phase involves implementing and operating the controls. The ‘Check’ phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS. The ‘Act’ phase makes changes where necessary to bring the ISMS back to peak performance.


ISO 27001 Certification

This is a 2 stage process: • Stage One: Checks documentation is capable of being audited. • Stage Two: Audit of the effectiveness of the system. Both stages must be completed to achieve ISO 27001 certification. Re-audited every six months

8


DSP ISMS Structure

• Stage 1 audit – July 2015 • Stage 2 audit – September 2015

9

Presenter

Presentation Notes

Sept 2015 seems a little close to go live for Certification – may get some questions on this.


ISO 27001 and Service Users


ISO 27001 and the Smart Meter Programme

• Information Security is a key element of the Programme.

• Scope for Smart Meter eco-system • DCC, DSP, CSPs.

• ISO 27001 scope • Appropriate to business benefit

• SEC and Codes of Connection • Security is a business-enabler; integrated into all functions. • Embed a security culture. • Compliance to ISO 27001.

11


Benefits of ISO 27001

• Completing ISO 27001 information security management systems certification will aid organisations in managing and protecting valuable data and information assets. For example:

Keeps confidential information secure Provides customers with confidence in how you manage risk Allows for secure exchange of information Ensure you are meeting legal obligations Manages and minimises exposure to risk Brings a culture of security Protects the company, assets, shareholders and directors. Provides a competitive advantage Enhanced customer satisfaction Consistency in delivery of service

12


Summary

• Not all about documentation • Processes, • Performing health checks, both infrastructure and application • Meetings & minutes • Recording incidents, • Continuous improvement.

13


Thank you

14

Date post:	18-Jan-2021
Category:	Documents
Upload:	others
View:	7 times
Download:	0 times

DSP Smart Metering Programme ISO/IEC 27001 Certification...ISO 27001 Certification . This is a 2...

Documents