ISO27001:2005 Introduction
• Introduction to Information Security • Implementation Methodology• Deliverables• Management Commitment
Agenda
Information Security
Information
Information is an asset, which, like any other important business asset, adds immense value to an organization due to its critical nature and hence needs to be suitably protected. Whatever form information takes, or whatever the means by which it is shared or stored, the need to protect it cannot be
underestimated
Information Security
Information systems security
“The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.”
Information Security Characteristics
Confidentiality: Ensuring that access to information is appropriately authorized
Integrity: Safeguarding the accuracy and completeness of information and processing methods
Availability: Ensuring that authorized users have access to information when they need it
In addition, other properties are the Authenticity, Accountability, Reliability and Non-Repudiation
Protect, detect, and recover from insecurities.
Threats to Information Security
The possible threats to Information Security are:
• Computer-assisted fraud• Espionage• Sabotage• Vandalism• Fire or flood – Natural Calamity• Computer viruses• Computer hacking or malicious software• Denial of service attacks
Information Security Management System
An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, business processes and also includes IT systems.
ISMS – The PDCA Model
Monitor and review- Execute monitoring procedures
- Undertake regular reviews
of the effectiveness - Conduct internal audits at planned intervals
Establish the context - Define ISMS scope- Define policy- Identify risks- Assess risks- Select control objectives and control for treatment of risks- Prepare a statement of applicability (SOA)
Implement and operate- Formulate a risk treatment plan- Implement the risk treatment plan- Implement controls selected to meet the control objectives
Plan
Do Check
Act
Improvement
Continual
Maintain and Improve
- Identify improvements in the ISMS and implement them - Take appropriate corrective and preventive actions - Communicate the results and actions and agree with all interested parties - Ensure that improvements achieve their intended
objectives
Overview of ISO27001 “A proven framework to initiate, implement, maintain and manage information security within your organization”
• A specification for the management of Information Security.
• Applicable to all sectors of industry & commerce and not confined to information held on computers.
• Addresses the security of information in whatever form it is held
• It takes a Risk Management approach
Security and Raymonds
Raymonds’s Business Needs • To ensure that all Business related information is secured from
unauthorized access.
• To ensure information integrity
• To ensure data availability to authorized persons when needed.
• To ensure that the risk to data is reduced to business acceptable levels.
• To ensure Raymonds complies to Regulatory bodies for information protection
Implementation Methodology
11 Domains of ISO 27001
Methodology
Developing ISMS
Imparting Training to end users
Mapping ISO Domains to Policy Doc
Preparing Policy document
Statement of Applicability
Risk Treatment Plan
Risk Assessment
Asset Identification
Implementing Security Policy
Internal Audit & Management Review
Fixing Non Conformances
External Review
Recommendations for Certification
ISO 27001 Certification
Team Composition
ISF/ISSC
Project Manager – Consultant Co
Consultants – Consultant Co
Core team members - Raymonds
CISO
Project Manager - Raymonds
Deliverables
DeliverablesStage 1 - Current State Assessment• Current State Assessment of Information Security and Process
Current State Assessment Report comprising of current information security infrastructure, information security incidences, critical business processes, critical success factors, business requirements, hardware, software, applications, user feedback,.
• Review Existing Policies & ProceduresReview Report for current Policies and Procedures, Information Security Policies and Procedures.
• Performing Gap Analysis vis-à-vis ISO 27001 control objectivesGap Analysis against the 133 control objectives and the current state of policies and procedures.
DeliverablesStage 2 - Establish the Context• Define Business Objectives
Document defining the business objectives, critical business processes, critical success factors, dependencies on environmental factors, dependencies on external factors, dependencies on time factor, dependencies on IT.
• Create Security Forum and Information Security Policy
Establishing a security forum with representation from business, operations and IT persons, documenting the security objective, vision and mission, corporate security policy statement and project plan for the security initiative.
Deliverables
Stage 3 - Risk Identification & Assessment• Business Risk Identification & Assessment
Documentation of various business processes, identification of critical processes, identification of various business risks, risk analysis giving probability and consequences of various risk scenarios and alternatives to mitigate the risk impact.
• Asset Identification & ClassificationAsset register identifying all the critical assets.Security classification schemaAsset classification as per the classification schema
Deliverables
Stage 4 – Managing the Risks• Information Security Management System documentation• Selection of Controls and preparation of statement of
applicability• Information Security Policies & Procedures • Information Security Architecture • Formulation of Business Continuity & Disaster Recovery Plan
DeliverablesStage 5 – Suggestion & Implementation of Controls
Training • End User Awareness Training Program• Top Management Training Program
Vulnerability Fix• Analyze the vulnerability assessment report • Implement recommendations for various business process
components• Implement security policy guidelines• Implement latest security patches
Management Commitment
ISMS Team Structure
Information Security ForumChaired by ISM
Chief Information Security Officer
Information Security Management Team (Headed by Chief Information Security Officer)
Management Commitment
Management Commitment• The Top Management shall be committed to the development
and implementation of Information Security policies and procedures and to the continuous improvement of its effectiveness.
• Establishing roles and responsibilities for information security• Communicating to the organization the importance of
meeting information security objectives and conforming to the information security policy
• Ensuring that internal ISMS audits are conducted• Conducting management reviews of the ISMS
Management Review
• Management shall review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
• This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives.
• The results of the reviews shall be clearly documented and records shall be maintained
Thank You