ISO-IEC_27002_2005

8/7/2019 ISO-IEC_27002_2005

1/164

Principles and fundamentals of security methodologies ofinformation systems - Information Security Policy

M2SSIC-Metz

Pascal Steichen

M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - Informatio

Pascal Steichen 1 / 38
http://find/http://goback/

8/7/2019 ISO-IEC_27002_2005

2/164

1 Information security policy

2 ISO/IEC 27002:2005

3 Control Framework

4 Producing the policy - good practices

5 Conclusion - summary



8/7/2019 ISO-IEC_27002_2005

3/164

Information security policy


To protect its assets (information and systems) on a daily basis an organi-sation has to:

organise its security by documenting the countermeasures or controlsto protect the confidentiality, integrity and availability of the assets, in

a security policy,


http://0.0.105.122:2005/http://13335-1:2004/http://find/http://goback/

8/7/2019 ISO-IEC_27002_2005

4/164




organise its security by documenting the countermeasures or controlsto protect the confidentiality, integrity and availability of the assets, in

a security policy,with the prime goal to manage and reduce its risks.

M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 3 / 38

I f i i li
http://0.0.105.122:2005/http://13335-1:2004/http://find/http://goback/

8/7/2019 ISO-IEC_27002_2005

5/164




organise its security by documenting the countermeasures or controlsto protect the confidentiality, integrity and availability of the assets, ina security policy,

with the prime goal to manage and reduce its risks.

Asset anything that has value to the organization. ISO/IEC


I f ti it li
http://13335-1:2004/http://0.0.105.122:2005/http://13335-1:2004/http://find/http://goback/

8/7/2019 ISO-IEC_27002_2005

6/164




organise its security by documenting the countermeasures or controlsto protect the confidentiality, integrity and availability of the assets, ina security policy,

with the prime goal to manage and reduce its risks.

Asset anything that has value to the organization. ISO/IEC

Control means of managing risk, including policies, procedures,

guidelines, practices or organizational structures, which canbe of administrative, technical, management, or legal nature.NOTE: Control is also used as a synonym for safeguard orcountermeasure. ISO/IEC


http://13335-1:2004/http://0.0.105.122:2005/http://0.0.105.122:2005/http://13335-1:2004/http://find/http://goback/

8/7/2019 ISO-IEC_27002_2005

7/164


An information security policy:

defines the business rules, principles and standards defining theorganisations approach to managing information security,- provides

management direction and support for information security inaccordance with business requirements and relevant laws andregulations,



8/7/2019 ISO-IEC_27002_2005

8/164





defines control objectives and controls intended to be implemented tomeet the requirements identified by a risk assessment,



8/7/2019 ISO-IEC_27002_2005

9/164





defines control objectives and controls intended to be implemented tomeet the requirements identified by a risk assessment,

needs approval by the highest level of management.


Information security policy why is an ISP important ?

8/7/2019 ISO-IEC_27002_2005

10/164


why is an ISP important ?

Because an information security policy:

is reference base for information traitement rules and practices,



8/7/2019 ISO-IEC_27002_2005

11/164

y p y y p




provides management support, and is published and communicated to

all employees and relevant external parties,



8/7/2019 ISO-IEC_27002_2005

12/164

y p y y p





all employees and relevant external parties,provides a structured and methodical approach to informationsecurity,



8/7/2019 ISO-IEC_27002_2005

13/164

y y y






integrates the business dimension,



8/7/2019 ISO-IEC_27002_2005

14/164







takes into account humans, organisational as well as technical aspects,



8/7/2019 ISO-IEC_27002_2005

15/164







takes into account humans, organisational as well as technical aspects,is based on the real operational situation of the organisation,



8/7/2019 ISO-IEC_27002_2005

16/164







takes into account humans, organisational as well as technical aspects,is based on the real operational situation of the organisation,

limits costs and optimises ROI.


Information security policy beforehand...

8/7/2019 ISO-IEC_27002_2005

17/164

beforehand...

It is essential that an organization identifies its security requirements.There are three main sources of security requirements:

One source is derived from assessing risks to the organization :

Risk = Vulnerability * Threat * Impact



8/7/2019 ISO-IEC_27002_2005

18/164

beforehand...




Another source is the legal, statutory, regulatory, and contractualrequirements that an organization, its trading partners, contractors,and service providers have to satisfy, and their socio-cultural

environment.



8/7/2019 ISO-IEC_27002_2005

19/164

beforehand...




Another source is the legal, statutory, regulatory, and contractualrequirements that an organization, its trading partners, contractors,and service providers have to satisfy, and their socio-cultural

environment.A further source is the particular set of principles, objectives andbusiness requirements for information processing that an organizationhas developed to support its operations.



8/7/2019 ISO-IEC_27002_2005

20/164


ISO/IEC 27002:2005

8/7/2019 ISO-IEC_27002_2005

21/164

ISO/IEC 27002:2005

THE reference document about information security policies is the

ISO/IEC 27002:2005 - Information technology Security techniques Code of practice for information security management (formerly known asISO/IEC 17799 and BS7799).


ISO/IEC 27002:2005 Scope

8/7/2019 ISO-IEC_27002_2005

22/164

Scope

This International Standard establishes guidelines and general principlesfor initiating, implementing, maintaining, and improving informationsecurity management in an organization. The objectives outlined in this

International Standard provide general guidance on the commonlyaccepted goals of information security management.The control objectives and controls of this International Standard areintended to be implemented to meet the requirements identified by a riskassessment. This International Standard may serve as a practical guideline

for developing organizational security standards and effective securitymanagement practices and to help build confidence in inter-organizationalactivities.


ISO/IEC 27002:2005 Scope

8/7/2019 ISO-IEC_27002_2005

23/164


ISO/IEC 27002:2005 Security Policy

8/7/2019 ISO-IEC_27002_2005

24/164

Security Policy

The policy document should contain statements concerning:

a definition of information security, its overall objectives and scopeand the importance of security as an enabling mechanism for

information sharing;



8/7/2019 ISO-IEC_27002_2005

25/164

Security Policy




a statement of management intent, supporting the goals andprinciples of information security in line with the business strategyand objectives;



8/7/2019 ISO-IEC_27002_2005

26/164

Security Policy




a statement of management intent, supporting the goals andprinciples of information security in line with the business strategyand objectives;

a framework for setting control objectives and controls, including thestructure of risk assessment and risk management;



8/7/2019 ISO-IEC_27002_2005

27/164

a brief explanation of the security policies, principles, standards, andcompliance requirements of particular importance to the organization



8/7/2019 ISO-IEC_27002_2005

28/164


compliance with legislative, regulatory, and contractual requirements;



8/7/2019 ISO-IEC_27002_2005

29/164


compliance with legislative, regulatory, and contractual requirements;security education, training, and awareness requirements;



8/7/2019 ISO-IEC_27002_2005

30/164


compliance with legislative, regulatory, and contractual requirements;security education, training, and awareness requirements;business continuity management;



8/7/2019 ISO-IEC_27002_2005

31/164


compliance with legislative, regulatory, and contractual requirements;security education, training, and awareness requirements;business continuity management;consequences of information security policy violations;



8/7/2019 ISO-IEC_27002_2005

32/164

a definition of general and specific responsibilities for informationsecurity management, including reporting information securityincidents;



8/7/2019 ISO-IEC_27002_2005

33/164


references to documentation which may support the policy, e.g. moredetailed security policies and procedures for specific informationsystems or security rules users should comply with.



8/7/2019 ISO-IEC_27002_2005

34/164


references to documentation which may support the policy, e.g. moredetailed security policies and procedures for specific informationsystems or security rules users should comply with.

and get periodic or if significant changes occur reviews.


ISO/IEC 27002:2005 Organizing Information Security

8/7/2019 ISO-IEC_27002_2005

35/164

Organizing Information Security

Management commitment to information security



8/7/2019 ISO-IEC_27002_2005

36/164



Information security co-ordination (CISO/RSSI)



8/7/2019 ISO-IEC_27002_2005

37/164




Allocation of information security responsibilities (data owners)



8/7/2019 ISO-IEC_27002_2005

38/164





Confidentiality or non-disclosure agreements (reflecting theorganizations needs)



8/7/2019 ISO-IEC_27002_2005

39/164






Contact with authorities and special interest groups



8/7/2019 ISO-IEC_27002_2005

40/164







Independent review of information security



8/7/2019 ISO-IEC_27002_2005

41/164







Independent review of information security

External parties (customers, partners, third parties...)


ISO/IEC 27002:2005 Asset Management

8/7/2019 ISO-IEC_27002_2005

42/164

Asset Management

Responsibility for assets


ISO/IEC 27002:2005 Asset Management

8/7/2019 ISO-IEC_27002_2005

43/164

Asset Management

Responsibility for assetsInformation classification


ISO/IEC 27002:2005 Human Resources Security

8/7/2019 ISO-IEC_27002_2005

44/164

Human Resources Security

Roles and responsibilities



8/7/2019 ISO-IEC_27002_2005

45/164



Screening



8/7/2019 ISO-IEC_27002_2005

46/164



Screening

Terms and conditions of employment



8/7/2019 ISO-IEC_27002_2005

47/164



Screening

Terms and conditions of employmentInformation security awareness, education, and training



8/7/2019 ISO-IEC_27002_2005

48/164



Screening


Disciplinary process


8/7/2019 ISO-IEC_27002_2005

49/164


8/7/2019 ISO-IEC_27002_2005

50/164



Screening



Termination

Return of assets



8/7/2019 ISO-IEC_27002_2005

51/164



Screening



Termination

Return of assetsRemoval of access rights


ISO/IEC 27002:2005 Physical and Environmental Security

8/7/2019 ISO-IEC_27002_2005

52/164

Physical and Environmental Security

Physical security perimeter and areas



8/7/2019 ISO-IEC_27002_2005

53/164



Equipment security



8/7/2019 ISO-IEC_27002_2005

54/164



Equipment securitySecurity of equipment off-premises



S

8/7/2019 ISO-IEC_27002_2005

55/164



Equipment securitySecurity of equipment off-premisesSecure disposal or re-use of equipment


ISO/IEC 27002:2005 Communications and Operations Management

C i i d O i M

8/7/2019 ISO-IEC_27002_2005

56/164

Communications and Operations Management

Change management



C i ti d O ti M t

8/7/2019 ISO-IEC_27002_2005

57/164


Change managementSeparation of development, test, and operational facilities



C i ti d O ti M t

8/7/2019 ISO-IEC_27002_2005

58/164



Third party service delivery management




8/7/2019 ISO-IEC_27002_2005

59/164




Protection against malicious and mobile code




8/7/2019 ISO-IEC_27002_2005

60/164


Change management

Separation of development, test, and operational facilities



Back-up




8/7/2019 ISO-IEC_27002_2005

61/164


Change management




Back-upNetwork security management




8/7/2019 ISO-IEC_27002_2005

62/164


Change management





Management of removable media




8/7/2019 ISO-IEC_27002_2005

63/164


Change management






Information exchange policies and procedures




8/7/2019 ISO-IEC_27002_2005

64/164


Change management







Electronic messaging




8/7/2019 ISO-IEC_27002_2005

65/164

p g

Change management







Electronic messagingOn-Line Transactions




8/7/2019 ISO-IEC_27002_2005

66/164

p g

Change management








Publicly available information




8/7/2019 ISO-IEC_27002_2005

67/164

Change management








Publicly available information

Monitoring


ISO/IEC 27002:2005 Access Control

Access Control

8/7/2019 ISO-IEC_27002_2005

68/164

User access management



Access Control

8/7/2019 ISO-IEC_27002_2005

69/164


User password management



Access Control

8/7/2019 ISO-IEC_27002_2005

70/164



Clear desk and clear screen policy



Access Control

8/7/2019 ISO-IEC_27002_2005

71/164




Network access control



Access Control

8/7/2019 ISO-IEC_27002_2005

72/164





User authentication for external connections



Access Control

8/7/2019 ISO-IEC_27002_2005

73/164





User authentication for external connectionsSegregation in networks



Access Control

8/7/2019 ISO-IEC_27002_2005

74/164






Operating system access control



Access Control

8/7/2019 ISO-IEC_27002_2005

75/164







User identification and authentication



Access Control

8/7/2019 ISO-IEC_27002_2005

76/164








Password management system



Access Control

8/7/2019 ISO-IEC_27002_2005

77/164








Password management systemMobile computing and communications


ISO/IEC 27002:2005 Information Systems Acquisition, Development and Maintenance

Information Systems Acquisition, Development and Maintenance

8/7/2019 ISO-IEC_27002_2005

78/164

Security requirements analysis and specification




8/7/2019 ISO-IEC_27002_2005

79/164


Correct processing in applications




8/7/2019 ISO-IEC_27002_2005

80/164



Cryptographic controls




8/7/2019 ISO-IEC_27002_2005

81/164




Security in development and support processes

M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 20 / 38 ISO/IEC 27002:2005 Information Systems Acquisition, Development and Maintenance


8/7/2019 ISO-IEC_27002_2005

82/164




Security in development and support processes

Technical Vulnerability Management

M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 20 / 38 ISO/IEC 27002:2005 Information Security Incident Management

Information Security Incident Management

8/7/2019 ISO-IEC_27002_2005

83/164

Reporting information security events and weaknesses

M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 21 / 38 ISO/IEC 27002:2005 Information Security Incident Management

Information Security Incident Management

8/7/2019 ISO-IEC_27002_2005

84/164

Reporting information security events and weaknesses

Management of information security incidents and improvements

M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 21 / 38 ISO/IEC 27002:2005 Business Continuity Management

Business Continuity Management

8/7/2019 ISO-IEC_27002_2005

85/164

Developing and implementing continuity plans including information

security


8/7/2019 ISO-IEC_27002_2005

86/164

ISO/IEC 27002:2005 Compliance

Compliance

8/7/2019 ISO-IEC_27002_2005

87/164

Compliance with legal requirements

M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 23 / 38 ISO/IEC 27002:2005 Compliance

Compliance

8/7/2019 ISO-IEC_27002_2005

88/164


Intellectual property rights (IPR)


Compliance

8/7/2019 ISO-IEC_27002_2005

89/164


Intellectual property rights (IPR)Data protection and privacy of personal information


Compliance

8/7/2019 ISO-IEC_27002_2005

90/164



Compliance with security policies and standards and technicalcompliance

M2SSIC Metz () Principles and fundamentals of security methodologies of information systems InformatioPascal Steichen 23 / 38 ISO/IEC 27002:2005 Compliance

Compliance

8/7/2019 ISO-IEC_27002_2005

91/164



Compliance with security policies and standards and technicalcompliance

Information systems audit

M2SSIC Metz () Principles and fundamentals of security methodologies of information systems InformatioPascal Steichen 23 / 38 Control Framework

Control Framework

8/7/2019 ISO-IEC_27002_2005

92/164

The control framework provides the routine response to known risks aspart of the information security process, by combining the following, tomitigate those known risks to an acceptable level:

security policies,


Control Framework

8/7/2019 ISO-IEC_27002_2005

93/164


security policies,procedures,


Control Framework

8/7/2019 ISO-IEC_27002_2005

94/164



standards


Control Framework

8/7/2019 ISO-IEC_27002_2005

95/164



standards

and architecture


8/7/2019 ISO-IEC_27002_2005

96/164

The meaning of acceptable will vary from organisation to organisation:

there is no preset control framework for your organisation,


8/7/2019 ISO-IEC_27002_2005

97/164

The meaning of acceptable will vary from organisation to organisation:

there is no preset control framework for your organisation,

ISO/IEC 27002:2005 (or others) are only guides that need to beadapted.

M2SSIC M t () P i i l s d f d t ls f s it th d l i s f i f ti s st s I f tiP s l St i h 25 / 38 Control Framework

8/7/2019 ISO-IEC_27002_2005

98/164

A typical control framework can be broken down into the followingcomponents:

The Policies (policy statements).

M2SSIC M t () P i i l d f d t l f it th d l i f i f ti t I f tiP l St i h 26 / 38 Control Framework

8/7/2019 ISO-IEC_27002_2005

99/164



The Procedures.


8/7/2019 ISO-IEC_27002_2005

100/164



The Procedures.

(Guidelines & Work instructions)


8/7/2019 ISO-IEC_27002_2005

101/164



The Procedures.


The Standards.

M2SSIC M () P i i l d f d l f i h d l i f i f i I f iP l S i h 26 / 38 Control Framework

8/7/2019 ISO-IEC_27002_2005

102/164



The Procedures.


The Standards.

(Security architectures).

M2SSIC M () P i i l d f d l f i h d l i f i f i I f iP l S i h 26 / 38 Control Framework

8/7/2019 ISO-IEC_27002_2005

103/164



The Procedures.


The Standards.

(Security architectures).

Other documentation.


Control Framework Policy statements

Policy statements

8/7/2019 ISO-IEC_27002_2005

104/164

These are the highlevel (strategic) documents generally addressing anumber of controls (often structured accoring to the 11 chapters of the27002), spread across various areas of activity.Example: Acces control Policy (chap. 11 of 27002)


Control Framework Procedures

Procedures

8/7/2019 ISO-IEC_27002_2005

105/164

Procedures further detail aspects of the policy statements describing

realistic processes

Example: Remote Access Control Procedure (part of chap. 11.4 of 27002)



Procedures

8/7/2019 ISO-IEC_27002_2005

106/164


realistic processes

covering daily management activities




Procedures

8/7/2019 ISO-IEC_27002_2005

107/164


realistic processes

covering daily management activitiesand defining responsabilities.



Control Framework Guidelines & Work instructions

Guidelines & Work instructions

8/7/2019 ISO-IEC_27002_2005

108/164

Sometimes, procedures dont provide enough detail to get the job done.This is particularly true for highly complex tasks that require detailedstep-by-step instructions.

Work instructions provide more detail. As a consequence, such instructionsare often tightly bound to a particular implementation.Guidelines are useful for providing advice in a less formal way - there is norequirement to sign-off guidelines.Example: Acces Control Instructions for mobile devices


Control Framework Standards

Standards

8/7/2019 ISO-IEC_27002_2005

109/164

Information security standards translate policy/procedure requirements

into operational instructions.Example: List of authorized remote access mechanisms/tools


Control Framework Security architectures

Security architectures

8/7/2019 ISO-IEC_27002_2005

110/164

Most medium and large organisation have a complex IT infrastructurethat has evolved over time.

Example: Remote Acces Architecture




8/7/2019 ISO-IEC_27002_2005

111/164


Each of these systems has an associated security model.





8/7/2019 ISO-IEC_27002_2005

112/164


Each of these systems has an associated security model.The goal of a security architecture is to combine processes and toolsinto a framework that mitigates risk.



Control Framework Other documentation

Other documentation

8/7/2019 ISO-IEC_27002_2005

113/164

Examples of the types of documents that the department will be involvedwith include:

Legal & regulatory documentation, including contracts



Other documentation

8/7/2019 ISO-IEC_27002_2005

114/164



Security monitoring data and security reports



Other documentation

8/7/2019 ISO-IEC_27002_2005

115/164




Log files, acces control lists (physical and/or logical)



Other documentation

8/7/2019 ISO-IEC_27002_2005

116/164





Project plans and status reports



Other documentation

8/7/2019 ISO-IEC_27002_2005

117/164






Financial plans and budgets



Other documentation

8/7/2019 ISO-IEC_27002_2005

118/164







Vendor-related documentation and licences



Other documentation

8/7/2019 ISO-IEC_27002_2005

119/164







Vendor-related documentation and licences

Documentation owned by other operational units


Control Framework DOs and DONTs

DOs and DONTs

DO:

8/7/2019 ISO-IEC_27002_2005

120/164



DOs and DONTs

DO:

8/7/2019 ISO-IEC_27002_2005

121/164

Keep the volume of documentation down to a strict minimum.



DOs and DONTs

DO:

8/7/2019 ISO-IEC_27002_2005

122/164

Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.



DOs and DONTs

DO:

8/7/2019 ISO-IEC_27002_2005

123/164

Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.Ensure that documents are reviewed and approved by all concernedparties.



DOs and DONTs

DO:

K h l f d d

8/7/2019 ISO-IEC_27002_2005

124/164

Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.Ensure that documents are reviewed and approved by all concernedparties.Take time to organise the way documents are stored and retrieved



DOs and DONTs

DO:

K h l f d i d i i i

8/7/2019 ISO-IEC_27002_2005

125/164


create a well-structured set of directories.



DOs and DONTs

DO:

K h l f d i d i i i

8/7/2019 ISO-IEC_27002_2005

126/164


create a well-structured set of directories.DONT:



DOs and DONTs

DO:

K th l f d t ti d t t i t i i

8/7/2019 ISO-IEC_27002_2005

127/164



Try to document everything.



DOs and DONTs

DO:

K th l f d t ti d t t i t i i

8/7/2019 ISO-IEC_27002_2005

128/164



Try to document everything.Document material that is already in user guides (e.g. successive screenshots).



DOs and DONTs

DO:

Keep the volume of documentation down to a strict minimum

8/7/2019 ISO-IEC_27002_2005

129/164




Try to have sign-off on everything! Restrict yourself to approving keydocuments.



DOs and DONTs

DO:

Keep the volume of documentation down to a strict minimum

8/7/2019 ISO-IEC_27002_2005

130/164




Try to have sign-off on everything! Restrict yourself to approving keydocuments.Use documents to communicate when you should be talkingface-to-face.


Producing the policy - good practices


8/7/2019 ISO-IEC_27002_2005

131/164

Dont Become a Paper Dragon




8/7/2019 ISO-IEC_27002_2005

132/164


Involving The Right People




8/7/2019 ISO-IEC_27002_2005

133/164



it is important to involve all concerned parties from the start.




8/7/2019 ISO-IEC_27002_2005

134/164



it is important to involve all concerned parties from the start.Policies must respect the company culture



NEVER develop policy statements in isolation

8/7/2019 ISO-IEC_27002_2005

135/164

NEVER develop policy statements in isolation.



NEVER develop policy statements in isolation

8/7/2019 ISO-IEC_27002_2005

136/164

NEVER develop policy statements in isolation.Consider working in an iterative fashion, asking for feedback at eachstep.


8/7/2019 ISO-IEC_27002_2005

137/164


NEVER develop policy statements in isolation.

8/7/2019 ISO-IEC_27002_2005

138/164

NEVER develop policy statements in isolation.Consider working in an iterative fashion, asking for feedback at eachstep.

Using skeleton documents can be very effective.Start with section titles and a rough description of what needs to go in

each section.



NEVER develop policy statements in isolation.C id ki i i i f hi ki f f db k h

8/7/2019 ISO-IEC_27002_2005

139/164

p p yConsider working in an iterative fashion, asking for feedback at eachstep.


each section.Circulate for comments and suggestions.



NEVER develop policy statements in isolation.C id ki i i i f hi ki f f db k h

8/7/2019 ISO-IEC_27002_2005

140/164



each section.Circulate for comments and suggestions.Flesh the policy out section by section.



NEVER develop policy statements in isolation.C id ki i it ti f hi ki f f db k t h

8/7/2019 ISO-IEC_27002_2005

141/164



each section.Circulate for comments and suggestions.Flesh the policy out section by section.Use open questions and provide alternatives.



NEVER develop policy statements in isolation.C id ki i it ti f hi ki f f db k t h

8/7/2019 ISO-IEC_27002_2005

142/164



each section.Circulate for comments and suggestions.Flesh the policy out section by section.Use open questions and provide alternatives.Listen to peoples objections and encourage them to identify solutionsto their own issues.



Planning - Producing a policy statement is a strategic objective.

8/7/2019 ISO-IEC_27002_2005

143/164



Planning - Producing a policy statement is a strategic objective.The different types of activity need to be identified, prioritised andestimated.

8/7/2019 ISO-IEC_27002_2005

144/164




Roles and responsibilities for the project need to be defined and agreedwith those concerned

8/7/2019 ISO-IEC_27002_2005

145/164

with those concerned.





8/7/2019 ISO-IEC_27002_2005

146/164

with those concerned.Resources from other areas need to be reserved in advance.





8/7/2019 ISO-IEC_27002_2005

147/164

with those concerned.Resources from other areas need to be reserved in advance.Dependencies and possible contention for resources need to beidentified up front.




Roles and responsibilities for the project need to be defined and agreedwith those concerned.

8/7/2019 ISO-IEC_27002_2005

148/164

with those concerned.Resources from other areas need to be reserved in advance.Dependencies and possible contention for resources need to beidentified up front.

Decision points need to be clearly identified.


8/7/2019 ISO-IEC_27002_2005

149/164




8/7/2019 ISO-IEC_27002_2005

150/164

Resources from other areas need to be reserved in advance.Dependencies and possible contention for resources need to beidentified up front.

Decision points need to be clearly identified.This should all be summarised in a formal project plan.

Aim for milestones at regular intervals to show progress.





8/7/2019 ISO-IEC_27002_2005

151/164

Resources from other areas need to be reserved in advance.Dependencies and possible contention for resources need to beidentified up front.

Decision points need to be clearly identified.This should all be summarised in a formal project plan.

Aim for milestones at regular intervals to show progress.Sign-Off is Critical





8/7/2019 ISO-IEC_27002_2005

152/164

Resources from other areas need to be reserved in advance.Dependencies and possible contention for resources need to beidentified up front.Decision points need to be clearly identified.This should all be summarised in a formal project plan.

Aim for milestones at regular intervals to show progress.Sign-Off is Critical

Management Sign-Off: It is a good idea to include a statement fromthe executive board that supports the policy and explains anyconsequences of not adhering to it.


8/7/2019 ISO-IEC_27002_2005

153/164


Publication

8/7/2019 ISO-IEC_27002_2005

154/164

Publication



Publication

8/7/2019 ISO-IEC_27002_2005

155/164

Publication

Diffusion



Publication

8/7/2019 ISO-IEC_27002_2005

156/164

Publication

Diffusion

Publish on the company intranet



Publication

8/7/2019 ISO-IEC_27002_2005

157/164

Publication

Diffusion

Publish on the company intranetUse mouse mats, posters, ...



Publication

8/7/2019 ISO-IEC_27002_2005

158/164

Publication

Diffusion

Publish on the company intranetUse mouse mats, posters, ...Think about interactive methods.



Publication

8/7/2019 ISO-IEC_27002_2005

159/164

Diffusion

Publish on the company intranetUse mouse mats, posters, ...Think about interactive methods.

Prepare via awareness raising actions


Conclusion - summary


A global information security process/approach can follow these steps:

8/7/2019 ISO-IEC_27002_2005

160/164

1 Risk assessment/analysis





8/7/2019 ISO-IEC_27002_2005

161/164


2 Awareness raising campaign





/

8/7/2019 ISO-IEC_27002_2005

162/164



3

Security policy





Ri k / l i

8/7/2019 ISO-IEC_27002_2005

163/164



3

Security policy4 ISMS (Information Security Managment System)





Ri k / l i

8/7/2019 ISO-IEC_27002_2005

164/164



3

Security policy4 ISMS (Information Security Managment System)

5 ISMS - Certification


Date post:	09-Apr-2018
Category:	Documents
Upload:	kunta-kinte
View:	218 times
Download:	0 times

ISO-IEC_27002_2005

Documents