Home >Documents >Isms Iso 27001 Common

Isms Iso 27001 Common

Date post:17-Nov-2014
Category:
View:160 times
Download:3 times
Share this document with a friend
Description:
ISMS & Audit Methodologyby Amy Zhu
Transcript:

02 ISMS & Audit MethodologyAmy Zhu MSN: [email protected]/01/2010

Agenda

14/01/2010

ISO 2700x Overview

14/01/2010

ISO 2700x Series StandardISO/IEC Std. 27000 27001 27002 27003 27004 27005 Description Vocabulary and Definitions Requirements (BS7799-2) Code of Practice (ISO 17799: 2005) Implementation Guidance Metrics and Measurements Risk Management (BS7799-3)14/01/2010

ISO/IEC 27001 : 2005Security Policy Organizing Information Security Asset Management Human Resource Security Physical & Comm . & Information Env . Operation Systems Security Management Acquisition , Development and Access Control MaintenanceInformation Security Incident Management

Business Continuity Management Compliance

14/01/2010

ISO 27001 Audit Stages

14/01/2010

ISMS Methodology

14/01/2010

PDCA model applied to ISMS processMaintain and Improve the ISMS Establish the ISMS- Scope -ISMS policy / Security Org. -Management Authorization -GAP Analysis -RA approach / RA / RTP options -SOA -C&CO

Implement the Improvements Corrective Act. and Preventive Act. -

Management Review ISMS Metrics -> Control Effectiveness Review RA Internal Audit -

- Risk Treatment Plan -Implement selected C&CO -Define Measurements -Training and Awareness

Info. Sec. Req. & Exp.

Monitor and Improve the ISMS Implement and Operate the ISMS

Managed Info. Sec.

Continual Improvement of the Management System14/01/2010

Common Approach

14/01/2010

High Level Certification PlanPhase I Phase II

Plan and Manage Program Mobilize Program Launch Program

Implementation

Certification

1 Month

5 Months

14/01/2010

ISO Core Team

14/01/2010

Security Committee

Role The is a key driver of our organizations security aspects. The Committee needs to meet and review at planned intervals the effectiveness of the Information Management system. The review shall also include assessing opportunities for improvement and the need for change. The Committee will be the final authority in reviewing and taking appropriate action against all information security related risks. Frequency At least once in a quarter. However till the time of certification, the Security Committee will meet regularly since the Committee has to approve all documents and play an active role in the Risk assessment Outcomes Key decision made on the effectiveness on ISMS

14/01/2010

Risk Assessment - PhasesIdentifying Information Assets, Assigning values to them and Controlling Risks are essential ISO27001 requirements

Asset Identification and Valuation

Threat Identification

Threat Probability Analysis

Vulnerability identification

Risk Measure Asset Value * Threat Probability * Impact

14/01/2010

Asset Identification and ValuationCategorize Assets Physical Assets Information Assets Software Assets Services Voice Information

Valuate Assets based on C.I.A.Confidentiality Ensuring that information is accessible only to those authorised to have access. Integrity Safeguarding the accuracy and completeness of information and processing methods. Availability Ensuring that authorised users have access to information and associated assets when required.

Asset Valuation Tool14/01/2010

Threat Identification

14/01/2010

Threat Probability Analysis

TL 1 2 3 4 TL = Threat Level Rating

Guideline Once per 3 years or more / no occurrence Once per year Once per quarter Once per month

14/01/2010

Vulnerability Identification & Mapping

Impact Value 1 2 3 4

Threat / Vulnerability Characteristic threat will Occurrence of this have negligible business impact Occurrence of this threat will have minor businessthreat will Occurrence of this impact have major businessthreat will Occurrence of this impact have vital business impact

14/01/2010

Risk Assessment and Risk Treatment

14/01/2010

ISMS Auditing

14/01/2010

Requirement for Internal Audit

14/01/2010

What do we mean by Audit?

14/01/2010

Audit

14/01/2010

BS EN 19011:2002 Scope

14/01/2010

Management Systems Auditing

14/01/2010

Type of Audit

14/01/2010

The Audit Process

14/01/2010

Audit Objectives

14/01/2010

The Scope of the Audit

14/01/2010

Audit Criteria

14/01/2010

The Benefits of Audit

14/01/2010

Auditors Responsibilities

14/01/2010

Planning the Audit

14/01/2010

Audit Programme

14/01/2010

Planning and Preparation

14/01/2010

Audit Planning

14/01/2010

Decisions at the Planning Stage

14/01/2010

Audit Duration

You need to define it Based on Your Experience

14/01/2010

Audit Preparation

14/01/2010

Preparing for the Audit

14/01/2010

Audit Preparation - Information

14/01/2010

Audit Documents

14/01/2010

Benefits of the Checklists

14/01/2010

Checklist Audit Starting Point

14/01/2010

Checklist Clear Screen/Desk Policy

14/01/2010

Exercise Preparing an Audit Checklist

14/01/2010

Conducting the Audit

14/01/2010

Audit Activities

14/01/2010

Opening Meeting

14/01/2010

Collecting the Facts

14/01/2010

Establish the Facts

14/01/2010

Audit Evidence

14/01/2010

Evidence

14/01/2010

Techniques for Qustioning

14/01/2010

Recording the Facts

14/01/2010

Documenting the Findings

14/01/2010

Evaluating

14/01/2010

Finding Classification - 1

14/01/2010

Finding Classification - 2

14/01/2010

Finding Classification - 3

14/01/2010

The name does not matter , they are all Opportunities for Improvement

14/01/2010

Recording the Results

14/01/2010

Documenting Non-Conformities

14/01/2010

Non-Conformity Report

14/01/2010

Reporting the Audit

14/01/2010

Exercise NC report

14/01/2010

Audit Report Meeting

14/01/2010

Close Meeting

Avoid Confrontation

14/01/2010

Conduct of Meeting

14/01/2010

Follow-up Options

But Always Record your Actions

14/01/2010

Successive Audits

14/01/2010

Reporting

14/01/2010

Q & A

14/01/2010

Popular Tags:

Click here to load reader

Embed Size (px)
Recommended