April 14, 2010 

1 

John Snare Chair Standards Australia Committee IT/12/4

ISO/IEC 27001 ISMS

ISO/IEC 27002 (was 17799) Controls

Risk Management (ISO 31000)

Industry Specific Standards Banking, Health, Transport,

Telecommunications

Risk Management implementation guides

Evaluation criteria ISO/IEC 15408

Mechanisms, types of control

Management perspective

Technical perspective

April 14, 2010 

2 

  The need for standards is international   Very few national info sec standards

  Standards Australia is responsible for Australian input to ISO/IEC standards development committees

  Local broadly representative committee of experts prepares by consensus Australian input

  ISO/IEC committees meet regularly to consider national body input

  Development cycle takes about 3 years based on progressively refined drafts every 6 months or so

  This is a surprisingly tricky question!

◦  Hazards? ◦  Resilience? ◦  Business continuity? ◦  US Treadway commission?

April 14, 2010 

3 

  Risk: effect of uncertainty on objectives. o  It is often expressed in terms of a combination of

the probability of events and their consequences o  Risk Management:

coordinated activities to directand control an organizationwith regard to risk

  Business risk   Market risk   Finance risk   Currency risk   Project risk   Legal risk   Security risk   …

April 14, 2010 

4 

  Customers   Line management   Senior management   Company Boards   Business Partners

  Special considerations o  outcomes are always negative (there is no

upside) o  there are many, many typically

o  major effort devoted to preventive controls   but recovery controls shouldn’t be neglected

April 14, 2010 

5 

  Principles   Framework   Process

a.  Risk management creates and protects value b.  Risk management is an integral part of all organizational

processes c.  Risk Management is part of decision making d.  Risk management explicitly addresses uncertainty e.  Risk management is systematic, structured and timely f.  Risk management is based on the best available information g.  Risk management is tailored h.  Risk management takes human and cultural factors into account i.  Risk management is transparent and inclusive j.  Risk management is dynamic, iterative, and responsive to change k.  Risk management facilitates continual improvement of the

organization

April 14, 2010 

6 

Mandate & commitment

Implementing risk management 1.  Implementing the framework 2.  Implementing the processes

Continual improvement

Monitoring & review

Design of framework 1.  Understanding the organization & its context 2.  Establishing risk management policy 3.  Accountability 4.  Integration into organizational processes 5.  Resources 6.  Internal and external communication & reporting mechanisms

IDENTIFY RISKS ANALYSE RISKS

EVALUATE RISKS

Assess Risks

Treat Risks - identify options

- evaluate option - select options - prepare plans - implement plans

Establish Context - internal

- external - risk management -  criteria

CO

MM

UN

ICAT

E A

ND

CO

NSU

LT

MO

NIT

OR

AN

D R

EVIE

W

April 14, 2010 

7 

Plan

Do

Check

Act Development, maintenance,

and improvement

cycle

Monitor and review the ISMS

Implement and operate the ISMS

Maintain and improve the ISMS

Establish the ISMS

Interested Parties

Managed information

security

Information security

requirements and

expectations

Interested Parties

o  Establishing and managing an ISMS o  Documentation requirements o  Management responsibility o  Internal audits o  Management reviews o  Improvement

ISO/IEC 27001 – ISMS Requirements •  An infosec risk management system

  ISO/IEC 27000 Overview and vocabulary   ISO/IEC 27001 Information security management systems – Requirements   ISO/IEC 27002 A code of practice for information security management   ISO/IEC 27003 Implementation guidance   ISO/IEC 27004 Information security management – Measurements   ISO/IEC 27005 Information security risk management   ISO/IEC 27006 Requirements for ISMS certifying bodies   CD 27007 Guidelines for ISMS Auditing   WD 27008 Guidance for auditors on ISMS controls   WD 27014 Information security governance

April 14, 2010 

8 

  WD 27010 Inter-sector and inter-organizational communications   ISO/IEC 27011 Guidelines for telecommunications   WD 27013 Integrated implementation of 27001 and 20000-1   WD 27015 Guidelines for the financial and insurance services sector

April 14, 2010 

9 

  ISO/IEC 27002 ◦  Risk assessment & treatment ◦  Security policy ◦  Organisation of information security ◦  Asset management ◦  Human resources security ◦  Physical and environmental security ◦  Communications and operations management ◦  Access control ◦  Information system acquisition, development & maintenance ◦  Information security incident management ◦  Business continuity management ◦  Compliance

  FCD 27031 ICT Readiness for Business Continuity   CD 27032 Guidelines for cyber security   xD 27033 Network security (six parts)   xD 27034 Application security (five parts)   WD 27035 Information security incident management   WD 27036 Security in outsourcing   WD 27037 Guidelines for identification, collection and/or

acquisition of digital evidence

April 14, 2010 

10 

April 14, 2010 

11 

  Criteria – often called the ‘common criteria’   Methodology   Protection profiles   Development of secure systems

  With a view to evaluation, or leveraging the common criteria

  SSECMM   Vulnerability reporting

ICT Readiness for Business Continuity (27031)

Cyber Security (27032)

Selection, deployment & operation of IDS (18043)Information security incident management (27035)

ICT Disaster recovery services (24762)

Network Security (27033 parts 1-7)

ICT Application security (27034 Parts 1-5)Security Information Objects for Access Control (15816)

Security of Outsourcing (27036)

TTP services security(14516, 15945)Time stamping services (29149)

Identification, collection and/or acquisition, and preservation of digital evidence (27037)

Potential or emerging Infosec issues

Known Infosec issues

Infosec breaches &compromises

April 14, 2010 

12 

  Identity Management   Framework   Authentication assurance   Access management

  Privacy   Framework   Architecture   Capability maturity model

  Biometric template protection   Authentication context for biometrics   Biometric evaluation

April 14, 2010 

13 

  Tackled in the 27014 project ◦  Aligned with ISO/IEC 38500 (Corporate governance of IT)

  Challenges ◦  Governance is as much a buzz-word as defined ◦  The relationship between management and governance ◦  The relationship between risk management and

governance ◦  The relationships between various aspects of governance ◦  Responsibility and accountability

  Introduced ISO 31000 (Risk Management) ◦  Principles ◦  Framework ◦  Process

  Discussed infosec risk treatment ◦  With emphasis on existing and prospective standards

  Touched on governance of infosec ◦  Where the debate about the place of risk management

continues