Information Security Management System ISO 27001:2013 ...engg.hbl.in/qms/pdfs/ISO 27001_ISMS...

TUV INDIA PVT. LTD.

Delegate Notes

Information Security Management System

ISO 27001:2013

AWARENESS TRAINING

ISMS AWARENESS TRAINING

Session 2

History

WELCOME

• Safety - Be aware of emergency exits

• Restroom and Telephones - Nearest locations

• Contact Number - For urgent messages

• Personal Property - Keep possessions secure

• Mobile Phones - Please avoid interruptions

• Recording Devices - Not allowed in class

• Lunch and Breaks - Please return on time

• Smoking - Not permitted in the classroom

• Special Needs - Please inform the instructor

STUDENT INTRODUCTIONS

• Delegate’s name

• Company and product/service

• Job position / role

• Level of awareness of ISO 27001 Standard

• Level of involvement in organization’s ISMS

• What are your expectations from this course?

COURSE OBJECTIVES

To understand basic concepts of ISMS

To understand basic requirements of ISO 27001:2013 &

its interpretation

EXPECTATIONS

All are having reasonably good awareness of various

functions/processes of an organization

Participation during discussions

Participation in individual / syndicate group exercises

Course is generic & not tailor made for a particular type

of industry

COURSE CONTENTS

Introduction to ISO 27001,

Development & History

Family of ISO 27000 series of standards,

Basic requirements of ISO 27001:2013 & its

interpretation,

Risk assessment

SOA

Overview of implementation & certification

Exercise

Course summary,

End of course.

ISMS AWARENESS TRAINING

Session 2

History

UNDERSTAND THE BASICS

Generic

Generic means that the same standard can be applied to any organization,

Management System

Management system refers to what the organization does to manage its

processes, or activities to achieve objectives.

Management System Standards

Management system standards provide a model to follow in setting up and

operating a management system

ISO 27001 History …

1995

1998

BS 7799 Part 1 - Initiative from Department of Trade and Industry

BS 7799 Part 2

Swedish standard SS 62 77 99 Part 1 & 21999New issue of BS 7799 Part 1 & 2

December 2000 ISO/IEC 17799:2000

2001 New BS 7799-2 (drafted)

Sep 2002 New BS 7799-2

Passed and accepted

2005“Change BS to ISO / IEC Std”

New issue of ISO 27001:2005


2013New issue of ISO 27001:2013


Session 3

Information Security Management System

ISO 27001:2005 OVERVIEW

What is information security?

“Information security protects

information from a wide range of threats

in order to ensure business continuity,

minimize business damage and maximize

return on investments and business

opportunities”

Terms and Definitions

ISMS addresses the

fundamental ethics of

security in terms of CIA

Availability

(A)

Integrity

(I)

Confidentiality

(C)

Ensures that authorized users haveaccess to information and associatedassets when required

Safeguards the accuracy andcompleteness of informationand processing methods

Ensures that information isaccessible only to those authorizedto have access

Introduction to ISO 27001

ISO/IEC 27001:2013, Information Technology –

Security Techniques – Information Security

Management Systems - Requirements


Security Techniques – Code of practice for

Information Security Controls

Introduction to ISO 27001

International Standard provides a model for

establishing, implementing, maintaining, and

continually improving Information Security

Management System.

Derived from various other standards i.e. ISO

22301:2012, etc.

ISO 27001 Requirements

Mandatory Requirements:

ISO/IEC 27001 Section4.0(Context of the Organization)

ISO/IEC 27001 Section 5.0 (Leadership)

ISO/IEC 27001 Section 6.0 (Planning)

ISO/IEC 27001 Section 7.0 (Support)

ISO/IEC 27001 Section 8.0 (Operation)

ISO/IEC 27001 Section 9.0 (Performance Evaluation)

ISO/IEC 27001 Section 10.0 (Improvement)


Reference Control Objectives & Controls (Annex A)A.5 Information Security Policies

A.6 Organization of Information Security

A.7 Human Resource Security

A.8 Asset Management

A.9 Access Control

A.10 Cryptography

A.11 Physical and Environmental Security

A.12 Operations Security

A.13 Communications security

A.14 System acquisition, development & maintenance

A.15 Supplier Relationships

A.16 Information security incident management

A.17 Information security aspects of BCM

A.18 Compliance

P – D – C – A Of Standard ISO 27001:2013

Rev. 04, Dec 2013

Plan

Establish the

ISMS

Do

Implement

and operate the

ISMS

Check

Monitor and

review the

ISMS

Act

Maintain and

improve the

ISMS

ISO/IEC 27001 Framework

0.2 P-D-C-A MODEL

Inputs – interested parties requirements for ISMS

Out puts – Necessary actions, process, procedures to

manage ISMS and meeting the requirements

Plan – clauses 4, 5,6,7

Do – clause- 8

Check – Clause -9

Act - clause -10

Plan

Sec. 4, Context of Org.

Sec.5. Leadership

Sec.6, Plan - Risk Mgmt

Sec .7 Resources

Do

Sec. 7 Operation planning and

Controls

Check

Sec. 9 Performance Evaluation

Monitoring : Internal Audit

Review : Management Review

Sec. 10. Improvement

Non conformity – CA

Continual

Improvement

ISO/IEC 27001:2013 Framework

INFORMATION SECURITY

Information &

Inf. Security

Character

Preserve

Integrity

Achieve

Implement

Form

Film

Security

Requirement

Main Source

Availability

Confidentiality Electronically

Paper

Voice

E-Mail

Risk Assessment

Objective of Org.Legal & Contractual

Policies

Procedures

Software fun.

Practices

Org. Structure

ISO 27001 Concepts

•Must specify Security Goals

•Controls based on Risk Analysis

•Choice on controls “A.5 to A.18”

•Continuous Verification Process

•Continuous Improvement Process


•Section 4 – 10 – Mandatory

•Annex A – Control objectives and controls

Note:

The organization can identify exclusions from

Annex A which in term should be justified in SOA

ISO/IEC 27001 Mandatory sections

•Section 1 - Scope

•Section 2 – Normative References

•Section 3 – Terms and definitions

•Section 4 – Context of the Organization

•Section 5 – Leadership

•Section 6 - Planning

•Section 7 – Support

•Section 8 – Operation

•Section 9 – Performance evaluation

•Section 10- Improvement

•Annex A – Reference Control objectives & controls

ISO/IEC 27001 Scope

Establish, Implement, Maintain and continually

improve a documented ISMS within context of

Organization’s overall risk.

Implement adequate and proportionate

security controls to protect Information Assets.

ISO 27001 Std Section 1.0

ISO/IEC 27001 Application


ISMS requirements are generic to all

organization and may be excluded if cannot be

applied due to scope / nature of business.

Any exclusions from Clause / Section 4.0, 5.0,

6.0, 7.0, 8.0, 9.0, 10.0 are not acceptable when an

organization claims conformity to this

International Standard.

ISO/IEC 27001 Normative references



Security Techniques – Code of practice for

Information Security Management

ISO 27001 - ISMS


Understanding the Organization and its context:

The Organization shall determine external and

internal issues that are relevant to its purpose and

that affects its ability to achieve the intended

outcomes of its ISMS.

Refer ISO/IEC 27001 Section 4.1Note: Determining these issues refers to establishing the external and

internal context of the organization considered in clause 5.3 of ISO

31000:2009

INTERNAL CONTEXT - EXAMPLES OF SOURCES OF RISK

Internal sources of

riskRisk issues

People

Knowledge retention, skills, integrity, loyalty, industrial relations,

competency, currency of expertise, employment costs, equity, workload

management, ethics, demographics, health and safety

Data/information Integrity, currency, relevance, access, storage, quality, timeliness, security,

communication

Strategy Robustness, flexibility, strategic fit, planning capability, implementation,

involvement, ownership

Stakeholder

management

Stakeholder needs, segmentation, fulfilment, relationships, service

proposition, knowledge & understanding

Leadership Vision, management capability, innovation, culture, ethics, effectiveness,

communication, involvement

Process/product/ser

vices

Robustness, capability, intellectual property, life cycle, innovation,

management controls, currency and relevance, quality, efficiency and

effectiveness

Business results Business objectives, growth, sustainable development, performance,

resilience, sustainability

ISO 27001 - ISMS


Understanding the needs and expectations of

interested parties:

The Organization shall determine – interested

parties that are relevant to the information security

management system and the requirements of these

interested parties relevant to information security.

Refer ISO/IEC 27001 Section 4.2

ISO 27001 - ISMS


Scope of ISMS:

The Organization shall determine the boundaries

and applicability of the ISMS to establish scope and

while determining scope the organization shall

consider 4.1 and 4.2.


ISO/IEC 27001 – Scope Definition

Scope Of ISMS encompass the following –

•Business Characteristics

•Organizational Characteristics

•Location

•Assets

•Technology

ISO 27001 - ISMS


Establish, Implement, Maintain and continually

improve a documented ISMS in accordance with

this International Standard.


ISO 27001 - ISMS


5.1 Leadership and commitment

5.2 Policy

5.3 Organizational roles, responsibilities &

authorities


5. LEADERSHIP

5.1 Top Management shall demonstrate and commitment

with respect to the ISMS by:

a) Polices and objectives established for ISMS and were compatible

with strategic directions of the Org.

b) Integrating ISMS requirements into Org. business processes

c) ISMS achieves its intended outcomes

d) Communicating the importance of the effectiveness of ISMS

requirements

e) Directing and supporting persons to contribute to the effectiveness

of ISMS

f) Resources needed for ISMS were available

g) Supporting other relevant management roles to demonstrate their

leadership as it applies to their areas of responsibility

h) ISMS achieves its intended outcome(S)

5.2 POLICY

Top Management shall establish a ISMS Policy that

a) Is appropriate to the purpose of the organization

b) provides Framework for setting IS Objectives

c) Includes a commitment to satisfy applicable

requirements

d) includes commitment to continual improvement of

ISMS

e) be available as a documented information

f) be communicated within the organization

g) be available to interested parties, as appropriate

Information security policy-

Minimum contents

•Brief explanation of polices, principles, standards and

compliance requirements

•Legislative and contractual

•Security Education requirements

•Viruses and other Malicious software

•Business continuity Management

•Consequences of Security policy

•Violations

5.3 ORG. ROLES, RESPONSIBILITIES AND AUTHORITIES

Responsibilities and authorities for relevant roles are

assigned and communicated within the organization

Top Management shall assign the responsibility and authority

for:

Ensure that ISMS conforms to the requirements of this

international standard

reporting on performance of ISMS to top Management

Top management may also assign responsibilities and

authorities for reporting performance of the ISMS within the

Org. ( appointment of CISO / ISO)

ISO 27001 - ISMS


6.0 Planning

6.1 Actions to address risks and opportunities

- General

- Information security risk assessment

- Information security risk treatment

6.2 Information security objectives and plans to

achieve


Risk assessment (5.4 )

Communication

and

Consultation

(5.2)

Monitoring

and

Review

(5.6)

Establishing the context (5.3)

Risk analysis (5.4.3)

Risk evaluation (5.4.4)

Risk treatment (5.5)

Risk identification (5.4.2)

Cl. 5 ISO 31000 Risk Management Process

Rev. 04, Dec 2013

6 IS RISK MANAGEMENT

a. Define a risk assessment approach

b. Identify the risks

c. Analyse and evaluate the risks

d. Identify and evaluate options for the treatment of risks

e. Select control objectives and controls for the treatment of risks

f. Obtain owners approval of the proposed residual risks

g. Owners authorization to implement and operate the ISMS

Risk

Treatment

Risk

Assessment

Risk

Management

Process

h. Prepare a Statement of Applicability (SOA)

Refer to ( ISO/IEC 27001:2013 clause 6.1, 6.2, 6.3)

ISO 27001 – ISMS


• Formulate Risk treatment

• Control Implementation

• Implemented control measurement to assess

control effectiveness.

• Formulate training awareness program

• Manage ISMS operations

• Manage ISMS resources

• Implement Business continuity procedures in

response to Incidents

ISO 27001 – ISMS


• Monitoring and review procedures to execute detect error,

identified attempts, RCA (Root Cause) and Corrective

action.

• Regular reviews into account of security audits, incidents,

effectiveness measurements, suggestions, etc

• Regular reviews of the level of residual risk, and identified

acceptable risk correlating it with incidents, external events,

changes to legal / regulatory requirements.

Note: The IS risk assessment & treatment process in ISO 27001:2013 aligns with

principles & generic guidelines provided in ISO 31000.

ISO 27001 - ISMS


6.2 Information security objectives and plans to

achieve

The Organization shall establish information security

objectives at relevant functions and levels


ISO 27001 - ISMS


7.0 Support

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information


7.1 RESOURCES

Org. determine and provide the resources

needed for security management

Establishment

Implementation

maintenance

continual improvement

7.2 COMPETENCE

Organization shall

Determine the necessary competence of persons doing work

under its control that affects its IS performance

Ensures that these persons are competent on the basis of

appropriate education, training and experience

Where applicable, takes actions to acquire the necessary

competence, and evaluate the effectiveness of the actions taken

Retain appropriate documented information and evidence of

competence

E.g. Provision of training to, monitoring of, or the reassignment

of current employed persons, or hiring or contracting of

competent persons

7.3 AWARENESS

Persons doing work under the org. control shall be aware

of:

Information Security policy

Their contributions to the effectiveness of the ISMS,

including the benefits of improved ISMS performance

The implications of not conforming with the ISMS

requirements

7.4 COMMUNICATION

Communication

What, when to whom…

Internal and external (e.g. media response) communication

procedures has to be established

Communication procedures in crisis situations and after disruption

(ensuring the availability of communication), these has to be tested

Who is authorized to communicate (the interoperability between

multiple responding organizations has to be regarded)

communication during disruptive incident

operating and testing of communication capabilities intended for

use during disruption of normal communication ( 8.4.3)

ISO 27001 – Document Requirements


• ISMS Policy & Objectives

• ISMS Scope statement

• Supporting Procedures

• Risk Management Plan

• Risk Assessment Sheet / Report

• Risk Treatment Plan

• Documented procedures ensuring effective planning, operations and control.

• Evidences – Documented information

• Statement of applicability

ISO 27001 – Document Requirements


• Document approval prior to issue.

• Re-approval of Review (changes) & updates isnecessary

• Revision status of document should be identified.

• Ensure the most recent version is available to allconcern(s).

• Identification and control of external origin documents

• Ensure obsolete documents are prevented tounintended use and are identified.

ISO 27001 – Records Control


• Records must be maintained as an evidence of ISMS

Implementation

• Records must remain legible, readily, identifiable and

retrievable.

• Control of document identification, storage, protection,

retrieval, retention and disposal must be defined appropriately.

• Consider the ‘Legal’ requirements records & records of

performance of security processes and all security incidents.

ISO 27001 - ISMS


8.0 Operation

8.1 Operational Planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment


Management guidelines

Risk identification

Risk analysis

Risk evaluation

AGREE

TRANSFER

REDUCE

AVOID

Risktreatment

Communication

Reporting Monitoring

Risk controlling

Recording the risk

management process

ISO 27001 - ISMS


9.0 Performance evaluation

9.1 Monitoring, measurement, analysis & evaluation

9.2 Internal audit

9.3 Management Review


ISO 27001 – Internal ISMS audits


• Conduct ISMS Audits at planned intervals

• ISMS Audit conforms to requirements of standard andrelevant legislation

• ISMS Audit program should focus on status, importance, areato be audited, and results of previous audits.

• A documented procedure must cover responsibilities ofplanning, conducting and reporting audit

• Corrective actions to be taken without undue delays.

• Follow-up on corrections and corrective action must beverified

ISO 27001 – Management Review


• Review of organizations ISMS at planned intervals

to ensure ISMS adequacy, effectiveness

• Assess the opportunity of Improvements

• Discuss the need / changes to ISMS

• Records required

ISO 27001 – Management Review


• Review performance and improvement opportunities

• ISMS Audit results

• Feedback from others

• Non-conformities and corrective actions

• Suggestion to improve ISMS performance

• Follow-up action on previous management reviews

• Changes to ISMS

• Recommendation for Improvements

ISO 27001–Management Review


• Recorded result of Management review meeting

• Improvement of effectiveness of ISMS

• Modification to Scope statement, policies, procedures, etc.

• Resource requirements

• Improvement on measurement of implemented controls

ISO 27001 - ISMS


10.0 Improvement

10.1 Nonconformity and corrective action

10.2 Continual improvement


ISO 27001 – Corrective Action


• Organization shall take remedial action to eliminate thecause of nonconformity

• Documented procedure of Corrective action determines:

– Review of Nonconformities

– Review the cause of NC’s

– Evaluate the need of action

– Implementation of Corrective action

– Result of action taken

– Review of Corrective action taken

ISO 27001 – ISMS Improvements


• Organizations shall continually improve ISMS through

tahe use of following:

– Security Policy

– Information Security Objectives

– Audit Analysis

– Analysis of Monitored events

– Corrective & Preventive actions

– Management review meetings

Session – 4

Risk Management & Risk

assessment

Risk Management & Risk assessment

Agenda

•Risk Management – why?

•Risk Management

•Importance of risk management

•Responsibilities of risk management

•CIA, Vulnerabilities and Threats

•Risk

•Risk assessment / analysis

•Various steps of risk management

•Evaluating Risk assessment (Best Practices)

Risk Management & Risk assessment

Risk Management – Why?

•Dependence on Information

•Change of Business Paradigm in terms of:

•Connectivity

•Telecommunication oriented Business Model

•Service oriented architect

•Worsening Information Security Threats

•Customer Confidence

•Helps organization to articulate vulnerabilities with

threats

What do you understand by Risk Management

What do you understand by Risk management?

Risk Management is a process of identifying, assessing and

reducing this risk to an acceptable level and implementing the

right mechanism to maintain the level of risk.

Coordinated activities to direct and control organization with

regard to risk

Risk Management is a detailed process of identifying facets that

could damage data, evaluation of those facets in light of data

value and countermeasure cost, implementing cost-effective

solutions for mitigating risk(s).Note: The IS risk assessment & treatment process in ISO 27001:2013 aligns with

principles & generic guidelines provided in ISO 31000.

Risk Management Life Cycle

Risk management Life Cycle

ThreatsAsset

Exploits

Vulnerabilities

RiskResult –

Exposure

Safeguard

Risk assessment Team Composition

Individuals from all operational departments

i.e. managers, project supervisor, SME, etc.

Quality Leaders / System designers and

integrators

And, final authority to approve the RA.

Threat & Vulnerability

Threat

Any potential occurrence of threat-source that

may cause disruption or undesirable outcome

for an organization, system or asset e.g.

Alteration, Destruction, Loss, Disclosure, etc.

Vulnerability

The weakness of safeguard e.g. oversight, flaw,

resistance, openness, etc

What do you understand by Risk?

Risk is a possibility of damage happening.

Risk is the possibility that threat will exploita specific vulnerability to cause harm to anassets

Physical Damage – Fire, Water, Power loss,Natural disaster

Human Resource – Intentional actions,Oversight

Misuse of data – Fraud, Theft, Sharing tradesecret

Application error – Input errors, Outputerrors, buffer overflows

Importance of Risk Management

It allows the managers to balance theoperational and economic costs and achievegains in mission capabilities.

It helps organization to assess and understandthe business impacts current risk level and toprioritize future directions / recommendations

It helps organizations to evaluate options fortreatment of risk by implementing appropriatecontrols, accepting risks, avoiding risk andtransferring risk

What do you understand by

Risk assessment & Risk analysis

RA is the first process of risk management

methodology.

It helps organization to determine the extent of

potential threats & vulnerabilities and associated risk

within operational system.

The output of this exercise helps to identify

appropriate controls for reducing / eliminating the

risk.

It helps integrate the security program / module

objectives with company’s business objectives.

It helps senior management to review essential

outcome of assessment / analysis and act on its

finding.

Steps of Risk assessment

Step 1: Asset Classification

Step 2: Asset Valuation

Step 3: Threat identification

Step 4: Vulnerability identification

Step 5: Impact Determination

Step 6: Likelihood Determination

Step 7: Risk Determination

Step 8: Risk Mitigation

(Reduce, assign or accept risk(s),/safeguard)

Step 9: Recommended controls

Step 10: Result documentation / report

Step – 1: Asset Classification

Asset Registry / list of the following

•Physical assets e.g. Physical Infrastructure assets,

Computer Systems

•S/W assets e.g. Magnetic media

•Information assets e.g. shared folders, hardcopies

•Service assets e.g. Security & housekeeping services

•Human resource e.g. VP’s, Managers, Associates

Tools and techniques

•Questionnaire, On-Site Interview

•Automated scanning tools e.g. Microsoft SMS ®

Step -2 : Asset Valuation

Asset value is dependent and derived of C

(Confidentiality), I (Integrity) and A (Availability) individual

ratings / values.

Asset value is determined by either methods

Addition Method

C + I + A = AV

Multiplication Method

C * I * A = AV

Aggregated Method

(C + I + A)/3 = AV

Step–3: Threat Identification

Any potential occurrence of threat-source that exploits

specific vulnerability

The identification must consider the source / agent of

threat, potential vulnerabilities (step 4), existing

controls, past history, information from special

interested groups, etc

Step–4: Vulnerability Identification

The weakness / flaw of safeguard

The identification must consider the source of threat,

threat action, audit reports (Non Conformances), past

assessment reports, special interested groups, etc.

Step – 5: Impact Determination

The adverse impact resulting from successful

threat exploited of vulnerability.

The identification must consider the Individual

Asset value and exposure rating, also the overall

criticality of asset or exposure, BIA (Business

Impact Analysis), FMEA, etc.

Impact can also be determined based on loss of

confidentiality, loss of integrity and loss of

availability.

Likelihood

Examples:

Rare An event that is highly unlikely to

occur, if ever.

Un-Likely An Event that is unlikely to occur,

perhaps once every 3 years

Likely An event likely to occur relatively

infrequently

Almost Certain An event that is fairly probable,and

could be expected to occur several

times a year

Step-6: Likelihood Determination

Likelihood covers all aspects of occurrence.

This indicates the probability that potential

vulnerability may be exploited with associated

threat and environment

The determination must cover the threat source,

Nature of vulnerability and effectiveness of

current controls

Step – 7: Risk Determination

The purpose is to assess the level of risk to the

system

The below mentioned points should be

considered while determination of risk.

The likelihood of threat exploiting a given

vulnerability

The magnitude of the impact

The adequacy of existing controls (in-order to

reduce or eliminate the overall risks

Step – 8: Risk Mitigation

Also known as ‘Risk treatment plan’ and a systematic

approach which helps management to understand the

level of risk and safeguard mission ‘risk’.

This process involves prioritization, evaluating and

implementing the appropriate methodology.

Step – 8: Risk Mitigation

The mitigation / treatment can be achieved by various

options

Total Risk: When the organization chooses not to

implement any type of safeguard.

Risk acceptance: Acceptance of a risk by Management e.g.

Open ports on VOIP solutions / Telecom Dialer

Risk Transfer: Transfer the existing risk to others like

insurance, security services, etc.

Risk reduction / residual risk: The risk remains after

treatment e.g. disclosure, loss of data, etc

Risk Treatment

Risk Treatment: Examples

Threat Name Asset Counter

measure

ISO 27001

Poor System

Performance

Whole of

Network

Infrastructure

Full Capacity

Planning for

Technical and

Business

Aspects

A.12.1.3

User Error Associates Help Desk and

Training

A.7.2.2

ISO 27001 – RA Repeatability

Changes to business requirements and priorities

New - Assets, threats and vulnerabilities

Periodic reviews to confirm controls remain

effective and appropriate

ISO 27001 - SOA

(Statement of applicability)

•ISO 27001:2013 controls selected or not

•Visible links back to Risk Assessment and Assets

•SOA stating reasons for control selection

•SOA stating reasons for control exclusion

•Additional controls could be selected

ISO 27001 - SOA

SOA – Statement of Applicability Possible Format

•Scope of ISMS

•Reference to Risk Assessment approach

•Control Table

•ISO 27001:2013 Annex A

•Control Requirement

•Selected/ Excluded – Justification

•Documents/Records/Responsibilities/Assets

ISO 27001 - SOA

ISO 27001:2013 clause List Selected Apply to Justification

Yes No

A.5.1 Information Security Policy

A.11.2 Equipment Security

A10.1.1 - Cryptography Because we do not

have…. Or

reference to ….

ISMS – Management Framework

Define the Policy

Define Scope

of ISMS

Undertake RA

Manage Risk

Select Controls

Statement of

Applicability

Step 1

Step 2

Step 4

Step 5

Step 6

Policy Document

Scope of ISMS

Information Assets

Risk Assessment

Results & Conclusions

Select Control Options

Statement

Management

Framework:

ISMS

Degree of Assurance

Required

Control Objectives

Additional Controls

Step 3

Information Technology – Security

Techniques – Information Security

Management System (ISMS)

ISO/IEC 27001:2013

Annex A

Control Objectives & Controls

Reference Control Objectives & Controls (Annex A)

A.5 Information Security Policies




A.9 Access Control

A.10 Cryptography







A.17 Information security aspects of BCM

A.18 Compliance

Annexure – A

Annexure A (Normative):

14 management Domain, 35 Objectives, 114 controls

A.5- Security Policies

A.6 – Organization of Information Security

A.8 – Asset management

A.7 – Human resource

Security

A.11 – Physical and

Environment

Security

A.15 – Supplier

Relationships

A.10, A.12, A.13 –

Cryptography &

Operations

security &

Communications

security

A. 14 – Information

System Acquisition,

Development and

Maintenance

A.9 – Access Control

A.16- Information security incident management

A.17 – Business Continuity Management

A.18 – Compliance

A.5 Security Policy

A.5 Information Security Policies

A.5.1 Management Direction for Information Security

Information security policy

Definition of information security

(objective, scope and mechanism)

Statement of management intent,

supporting the goals, principles of

IS

…………………………

……………………….

Brief explanation of security

policies, principles, standards and

compliance

1.

2.

General and specific

responsibilities for IS management

References (e.g. more detailed

policies, procedures……..

Rec : ISO / IEC 27002:2005, page 2

A. 5.1.1 Policies for information security

A.5.1.2 Review of the policies for IS

Personnel

screening and

policy

Clear desk and

clear screen policy

….


A.6 Organization of information security

A.6.1 Internal organization

Objective: To establish a management framework to initiate

and control the implementation and operation of information

security within Organization

Controls: A. 6.1.1 to A.6.1.5

A.6.2 Mobile devices and teleworking

Objective: To ensure the security of teleworing and use of

mobile devices

Controls :A. 6.2.1 to A.6.2.2

A.6.1 Internal organization

A.6.1.1Allocation of information security responsibilities

A.6.1.2 Segregation of duties

A.6.1.3 Contact with authorities

A.6.1.4 Contact with special interest groups

A.6.1.5 Project Management

6.2 Mobile devices and teleworking

A.6.2.1 Mobile devices policy

A.6.2.2 Tele working

6 Organization of information security



A.7.1 Prior to employment

Objective: To ensure that employees, contractors understand

their responsibilities and are suitable for the roles for which they

are considered.

Controls:A.7.1.1 to A.7.1.2

A.7.2 During Employment

Objective: To ensure that employees and contractors are aware of

and fulfill their information security responsibilities.

Controls : A. 7.2.1 to A.7.2.3

A.7.3 Termination and change of employment

Objective: To protect organization's interests as a part of

process of changing or terminating employment

Controls :A. 7.3.1

A.7.1 Prior to Employment

A.7.1.1 Screening

A.7.1.2 Terms and conditions of employment

A.7.2 During employment

A.7.2.1 Management Responsibilities

A.7.2.2 Information security awareness, education and training

A.7.2.3 Disciplinary Process

. A.7.3 Termination or change of employment

A.7.3.1 Termination or change of employment responsibilities




A.8.1 Responsibility for assets

Objective: To identify organizational asset and define appropriate

protection responsibilities

Controls : A. 8.1.1 to A. 8.1.4

A.8.2 Information classification

Objective: To ensure that information receives an appropriate

level of protection in accordance with its importance to the

organization

Controls :A. 8.2.1 to A. 8.2.3

A.8.3 Media Handling

Objective: To prevent unauthorized disclosure, modification,

removal or destruction of information stored media

Control : A. 8.3.1 to A. 8.3.3

A.8.1 Responsibility for assets\

A.8.1.1 Inventory of Asset

A.8.1.2 Ownership of Assets

A.8.1.3 Acceptable use of assets

A.8.1.4 Return of assets


A.8.2.1 Classification of Information

A.8.2.2 labeling of Assets

A.8.2.3 Handling of Assets


A.8.3.1 Management of removable media

A.8.3.2 Disposal of Media

A.8.3.3 Physical Media Transfer


Asset Identification & Classification

ISO 27001 Std Section 4.2Information Assets

Databases

Data Files

System Documentation

Operations Manual

Support procedures

User Manuals

Training Manuals

Intellectual property

Continuity plans

Fallback Arrangements

Services

Computing

Telecommunication

Power & lighting

Water

Air-conditioning

Heating, Gas

Fire control

Generators

UPS

Intruder alarms

Paper Documents

Contracts

Company documentation

Business results

HR records

Purchase documents

Invoices

Supplier lists

Company Catalogues

People

Employees

Customers

Subscribers

Contractors

Cleaners

Security

Trainees

Asset Identification & Classification


Software Assets

Operating Systems

Application Systems

Development tools

Utilities

Physical Assets

Servers

Computers

Hubs, switches, routers

Firewalls

Communication equipment

Magnetic, optical media

Other equipment

Racks, Cabinets

Safes

Information classification guidelines

Example

Scenario 1

Disclosure outside organization would be in-appropriate and inconvenient

Scenario 2

Disclosure inside or outside would cause significant harm to the interests of the organization

Scenario 3

Disclosure inside or outside would cause serious damage to the interest of the organization

A.9 Access Control

A.9.1 Business Requirements of access control

Objective : To limit access to information and information

processing facilities

Controls :A. 9.1.1 to A.9.1.2

A.9.2 User Access Management

Objective: To ensure authorized user access and to prevent

unauthorized access to information systems

Controls: A. 9.2.1 to A.9.2.6

A.9.3 User responsibilities

Objective : To make users accountable for safeguarding

Controls: A.9.3.1

A.9.4 System and application access control

Objective: To prevent unauthorized access to systems and

applications.

Controls: A.9.4.1 to A.9.4.5

A.9.1 Business Requirements of access control

A.9.1.1 Access control policy

A.9.1.2 Access to networks and network services

A.9.2 User Access Management

A.9.2.1 user registration and de- registration

A.9.2.2 user access provisioning

A.9.2.3 management of privileged access rights

A.9.2.4 management of secret authentication information users

A.9.2.5 Review of user access rights

A.9.2.6 removal or adjustment of access rights

A.9.3 User responsibilities

A.9.3.1 use of secret authentication information

A.9 Access Control

A.9. 4 system and application access control

A.9.4.1 system and application access control

A.9.4.2 Secure log-on procedures

A.9.4.3 Password management system

A.9.4.4 use of privileged utility programs

A.9.4.5 Access control to program source code

A.9 Access Control

A.10 Cryptography

A.10.1 Cryptographic controls

Objective : To ensure proper and effective use of cryptography to

protect the confidential, authenticity and or integrity of information

Controls :A. 10.1.1 to A.10.1.2

•A.10.1.1 Policy on the use of cryptographic controls

•A.10.1.2 Key Management


A.11.1 Secure Areas

Objective : To prevent unauthorized physical access, damage and

interference to the organization's premises and information.

Controls: A.11.1.1 to A.11.1.6

A.11.2 Equipment

Objective: To prevent loss, damage, theft or compromise of assets

and interruption to organization's operations

Controls : A.11.2.1 to A.11.2.9

A.11 Physical and Environmental security

A.11.1 Secure areas

A.11.1.1 Physical Security perimeter

A.11.1.2 Physical entry controls

A.11.1.3 Securing offices, rooms and facilities

A.11.1.4 Protection against external and environmental threats

A.11.1.5 Working in secure areas

A.11.1.6 delivery and loading areas

A.11.2 Equipment

A.11.2.1 Equipment sitting and protection

A.11.2.2 Supporting utilities A.11.2.9 clear Desk and clear Screen policy

A.11.2.3 Cabling Security A11.2.8 unattended user equipments

A.11.2.4 Equipment Maintenance

A.11.2.5 Removal of assets

A.11.2.6 Security of equipment off-premises

A.11.2.7 Secure disposal or re-use of equipments

A.11 Physical and Environmental security


A.12.1 Operational procedures and responsibilities

A.12.1.1 to A.12.1.4

A.12.2 Protection from malware

A.12.2.1

A.12.3 Backup

A.12.3.1

A.12.4 Logging and monitoring

A.12.4.1 to A.12.4.4

A.12.5 Control of operational software

A.12.5.1

A.12.6 Technical Vulnerability management

A.12.6.1 to A.12.6.2

A.12.7 Information systems audit consideration

A.12.7.1

A.12 Operations security

AREA 12: OPERATIONS SECURITY ( 7/14)


Objective: To ensure the correct and secure operations of information processing facilities.


Objective: To ensure that information and information processing facilites protected from

malware.

A.12.3 Back up

Objective: To protect against loss of Data..

A.12.4 logging and monitoring

Objective: Event logs recording user activities, exceptions, faults and information security events

shall be produced, kept and regularly reviewed...

A.12.5 Control of operational software

Objective: to ensure the integrity of operational system.

A12.6 Technical vulnerability management

Objective : To prevent exploitation of technical vulnerabilities

A12.7 Information system audit considerations

Objective : To minimize the impact of audit activities on operational systems

Rev. 04, Dec 2013


A.12.1.1 Documented operating procedures

A.12.1.2 Change Management

A.12.1.3 Capacity Management

A.12.1.4 Separation of development, testing & operational environment


A.12.2.1 Control against malware

A.12.3 Back-up

A.12.3.1 Information Back up

A.12.4 Logging and Monitoring

A.12.4.1 Event Logging

A.12.4.2 Protection of log information

A.12.4.3 Administrator and Operator Logs

A12: Operations Security

A.12.4 Logging and Monitoring

A.12.4.4 Clock Synchronization

A.12.5 Control Operational Software

A.12.5.1 Installation of software on operational systems

A.12.6 Technical vulnerability management

A.12.6.1 Management of technical vulnerabilities

A.12.6.2 restrictions on software installation

A12.7 Information system Auditing considerations

A12.7.1 Information systems audit controls

A12: Operations Security

A.13 Communications Security

A.13.1 Network security management

Objective : To ensure the protection of information in networks

and its supporting information processing facilities

Controls : A.13.1.1 to A.13.1.3

A.13.2 Information Transfer

Objective: To maintain the security of information transferred

within an organization and with any external entity .

Controls :A.13.2.1 to A.13.2.4

A.13.1 Network Security Management

A.13.1.1 Network Controls

A.13.1.2 Security of Network services

A.13.1.3 Segregation in networks

A.13.2 Information Transfer

A.13.2.1 Information Transfer policies and procedures

A.13.2.2 Agreement on information Transfer

A.13.2.3 Electronic Messaging

A.13.2.4 Confidentiality or non disclosure agreement


A.14 System Acquisition, development

And maintenance

A.14.1 Security requirements of information systems

Objective: To ensure that information security is an integral part of information

systems .across the entire life cycle . This also includes the requirements for

information systems which provide services over public networks


A.14.2 Security in development and support processes

Objective: To ensure that information security is designed and implemented

within the development life cycle of information systems


A.14.3 Test Data

Objective : To ensure the protection of data used for testing.

Control :A.14.3.1

A.14.1 Security requirements of information systems

A.14.1.1 information Security requirements analysis and specifications

A14.1.2 Securing application services on public networks

A14.1.3 protecting application services transactions

A.14.2 Security in development and support processes

A.14.2.1 Secure development policy

A14.2.2 system change control procedure

A14.2.3 Technical review of applications after operating platform changes

A.14.2.4 restrictions on changes to software packages

A14.2.5 Secure system engineering principles

A14.2.6 Secure development environments

A.14.2.7 Out sourced development

A14.2.8 System security testing

A14.2.9 System acceptance testing

14.3 Test Date A14.3.1 Protection of test data



A.15.1 Information security in supplier relationships

Objective: To detect unauthorized information processing activities


A.15.2 Supplier service delivery management

Objective: TO maintain an agreed level of information security and

service delivery in line with supplier agreements


A15.1. Information security in Supplier relationship

A.15.1.1 information security policy for supplier relationships

A.15.1.2 addressing security within supplier agreements

A.15.1.3 Information and communication technology supply chain

A15.2. Supplier Service Delivery Management

A.15.2.1 Monitoring and review of supplier services

A.15.2.2 Managing changes to the supplier services

A.15 Supplier relationships

A.16 Information security incident

management

A.16.1 Management of information security incidents and

improvements

Objective : To ensure consistent and effective approach to the

management of Information security incidents including

communication on security event and weaknesses

Controls: 16.1.1 to 16.1.7


A.16.1 Management of information security incidents and improvements

A16.1.1 Responsibilities and procedures:

A16.1.2 Reporting information security events

A16.1.3 Reporting of information security weakness

A16.1.4 Assessment of and decision on information security event:

A16.1.5 Response to information security incidents

A16.1.6 learning from information security incidents

A16.1.7 collection of evidence


A.17 Information security continuity

A.17.1 Information security continuity

Objective : information security continuity shall be embedded in the

organization’s business continuity management systems

Controls : 17.1.1 to 17.1.3

A.17.2 Redundancies

Objective: To ensure availability of information processing facilities

Controls: 17.2.1

A.17.1 Information security continuity

A.17.1.1 planning information security continuity

A.17.1.2 implementing information security continuity

A.17.1.3 verify, review and evaluate information security continuity

A.17.2 Redundancies

A17.2.1 Availability of information processing facilities

A.17 Information security continuity

A.18 Compliance

A.18.1 Compliance with legal and contractual requirements

Objective:

To avoid breaches of any legal, statutory, regulatory or

contractual obligations related to information security

requirements.

Controls: 18.1.1 to 18.1.5

A.18.2 Information security reviews

Objective: To ensure that information security is implemented and

operated in accordance with organizational policies and

procedures

Controls 18.2.1 to 18.2.3

A.18.1 Compliance with legal and contractual requirements

A.18.1.1 Identification of applicable legislation and contractual

requirements

A.18.1.2 Intellectual Property rights

A.18.1.3 Protection of organizational records

A.18.1.4 privacy and protection of personally identifiable information

A.18.1.5 Regulation of cryptographic controls

A.18.2 Information security review

A.18.2.1 independent review of Information security

A.18.2.2 Compliance with Security policies and standards

A.18.2.3 Technical compliance review

A.18 Compliance

Date post:	03-Aug-2021
Category:	Documents
Upload:	others
View:	21 times
Download:	0 times