ISO 27001 Introduction

Document Sample
ISO 27001 Introduction Powered By Docstoc
					ISO/IEC 27001:2005
   A brief introduction

     Dimitris Petropoulos
      Managing Director
     ENCODE Middle East
        September 2006
“Information is an asset which, like other
  important business assets, has value to an
  organization and consequently needs to be
  suitably protected.”

Ø Printed or written on paper
Ø Stored electronically
Ø Transmitted by mail or electronic means
Ø Spoken in conversations
    What is Information Security
    Ø ISO 27001 defines this as the preservation of:

                                      security                             Ensuring that
                                                                           information is
         Threats                  Information
                                                                           accessible only to
                                                                           those authorized to
                                                                           have access

Safeguarding the
accuracy and                    Integrity     Confidentiality
completeness of                                                              Risks
information and
processing methods                      Availability
                                                                           Ensuring that
                                                                           authorized users have
 Vulnerabilities                                                           access to information
                                      security                             and associated assets
                                                                           when required
Achieving Information Security

     4 Ps of Information Security

    People                 Products
Drivers & Benefits of compliance with the standard
  ISO27001 Drivers

Ø Internal Business Drivers
   –   Corporate Governance
   –   Increased Risk Awareness
   –   Competition
   –   Customer Expectation
   –   Market Expectation
   –   Market Image

Ø Regulators

                                  18%             38%

Ø Reasons for seeking
  Certification according to
  a BSI-DISC survey                     35%

                                               Best Practice
                                               Business Security
                                               Competitive Advantage
                                               Market Demand
Benefits of compliance [1]
Ø Improved effectiveness of
  Information Security
Ø Market Differentiation
Ø Provides confidence to trading
  partners, stakeholders, and
  customers (certification
  demonstrates 'due diligence')
Ø The only standard with global
Ø Potential lower rates on
  insurance premiums
Ø Compliance with mandates and
  laws (e.g., Data Protection Act,
  Communications Protection Act)
Ø Reduced liability due to un-
  implemented or enforced
  policies and procedures
Benefits of compliance [2]
Ø Senior Management takes
  ownership of Information Security
Ø Standard covers IT as well as
  organization, personnel, and
Ø Focused staff responsibilities
Ø Independent review of the
  Information Security Management
Ø Better awareness of security
Ø Combined resources with other
  Management Systems (eg. QMS)
Ø Mechanism for measuring the
  success of the security controls
ISO27001 Evolution
 1995    BS 7799 Part 1

                     BS 7799 Part 2

                               New issue of BS 7799 Part 1 & 2

Dec 2000
                  ISO 17799:2000

                          New BS 7799-2

  2005       New ISO 17799:2005 released
             ISO 27001:2005 released
ISO 27001, ISO17799 & BS7799
Ø ISO/IEC 17799 = BS 7799-Part 1
  Code of Practice for Information Security
   – Provides a comprehensive set of security controls
   – Based on best information security practices
   – It cannot be used for assessment and registration

Ø ISO 27001 = BS 7799-Part 2
  Specification for Information Security Management
   – Specifies requirements for establishing, implementing,
     and documenting Information Security Management
     Systems (ISMS)
   – Specifies requirements for security controls to be
   – Can be used for assessment and registration
Why BS7799 moved to ISO27001

Ø Elevation to international standard status

Ø More organizations are expected to adopt it

Ø Clarifications and Improvements made by the
  International Organization for Standardization

Ø Definition alignment with other ISO standards
  (such as ISO/IEC 13335-1:2004 and ISO/IEC TR
      The ISO 27000 series

Ø   ISO 27000   – principles and vocabulary (in development)
Ø   ISO 27001   – ISMS requirements (BS7799 – Part 2)
Ø   ISO 27002   – ISO/ IEC 17799:2005 (from 2007 onwards)
Ø   ISO 27003   – ISMS Implementation guidelines (due 2007)
Ø   ISO 27004   – ISMS Metrics and measurement (due 2007)
Ø   ISO 27005   – ISMS Risk Management
Ø   ISO 27006   – 27010 – allocation for future use
ISO 27001 Overview
What is ISO27001?

þ An internationally recognized structured
  methodology dedicated to information security
þ A management process to evaluate, implement
  and maintain an Information Security Management
  System (ISMS)
þ A comprehensive set of controls comprised of best
  practices in information security
þ Applicable to all industry sectors
þ Emphasis on prevention
ISO27001 Is Not…

ý A technical standard
ý Product or technology driven
ý An equipment evaluation methodology such as the
  Common Criteria/ISO 15408
   – But may require utilization of a Common Criteria
     Equipment Assurance Level (EAL)
Holistic Approach

Ø ISO 27001 defines best practices for information
  security management

Ø A management system should balance physical,
  technical, procedural, and personnel

Ø Without a formal Information Security
  Management System, such as a BS 7799-2 based
  system, there is a greater risk to your security
  being breached

Ø Information security is a management process, not
  a technological process
          ISO 27001:2005 - PDCA
                                    4. Maintain and improve the ISMS

                                    • Take corrective and preventive actions, based on the
                                      results of the management review, to achieve continual
                                      improvement of the ISMS.

1. Establish the ISMS                                                                   3. Monitor and review the ISMS

• Establish security policy, objectives,                                                • Assess and, where applicable, measure
  targets, processes and procedures                                                       process performance against security
  relevant to managing risk and improving                                                 policy, objectives and practical experience
  information security to deliver results in                                              and report the results to management for
  accordance with an organization’s overall                                               review.
  policies and objectives.

                                               2. Implement and operate the ISMS

                                               • Implement and operate the
                                                 security policy, controls, processes
                                                 and procedures.
ISO 27001:2005 Structure

Five Mandatory requirements of the standard:
Ø Information Security Management System
   • General requirements
   • Establishing and managing the ISMS (e.g. Risk Assessment)
   • Documentation Requirements
Ø Management Responsibility
   • Management Commitment
   • Resource Management (e.g. Training, Awareness)
Ø Internal ISMS Audits
Ø Management Review of the ISMS
   • Review Input (e.g. Audits, Measurement, Recommendations)
   • Review Output (e.g. Update Risk Treatment Plan, New Recourses)
Ø ISMS Improvement
   • Continual Improvement
   • Corrective Action
   • Preventive Action
            The 11 Domains of Information
                                                   Overall the standard can be put in :
                                                        •     Domain Areas – 11,
Organization of
                                  Asset                 •     Control Objectives – 39,
   Security                                                   and
                                                        •     Controls – 133
  Physical &                   Communications
Environmental                   & Operations
   Security                     Management
                    Access                        Security
                    Control                       Incident
  Information                                   management
  development                     Continuity
      and                        Management
ISO27001 vs BS7799
           ISO27001 vs BS7799 [1]
BS7799                              ISO 27001
Security Policy                     Security Policy
Security Organisation               Organising Information Security *
Asset Classification & Control      Asset Management *
Personnel Security                  Human Resources Security *
Physical & Environmental Security   Physical & Environmental Security *
Communications & Operations         Communications & Operations
Management                          Management *
Access Control                      Access Control
Systems Development & Maintenance   Information Systems Acquisition, *
                                    Development and Maintenance
                                    Information Security Incident
Business Continuity Management      Business Continuity Management

Compliance                          Compliance

                                      * - new control/s added
ISO 27001 Implementation
    Implementation Process

Assemble a Team                                      Review
  and Agree to             Define Scope            Consultancy
 Your Strategy                                       Options

                               Determination          Identification of
     Identification of
                                 of Value of         Legal, regulatory &         Determination
                                Information             contractual                 of Risk
                                   Assets              requirements

                Determination of             Identification of         Definition of
           Policy(ies) and the Degree            Control                 Security
            of Assurance Required             Objectives and            Strategy &
               from the Controls                Controls               Organisation
                                        Statement of Applicability

                     Definition of Policies,
                                                     Completion of
                        Standards, and                                         Implementation of
                        Procedures to                                         Policies, Standards,
                        Implement the                                           and Procedures
                                            Update Statement of Applicability
Defining Scope and Participants

                           Contracts and agreements
      ISMS Documentation

  Management framework
    policies relating to
        ISO 27001        Level 1                   Security Manual
                                  risk assessment,
                             statement of applicability

           Level 2          Describes processes – who,        Procedure
                                what, when, where

                                                                     Work Instructions,
     Level 3             Describes how tasks and specific              checklists,
                                activities are done                     forms, etc.

Level 4            Provides objective evidence of compliance to
                                ISMS requirements                           Records
      Implementation Issues

Develop Documentation                                 Educate
                                                           Develop Security
Select External
                      Disseminate Policy                   Newsletter
          Approval by
                                         Conduct Awareness                  Continue Awareness
          CEO Acquire
               Policy Tool
                                 Sec Awareness                    Enforce Policy
                                 Material                         ISO27001         ISO27001
                                                       Internal Assessment         External Assessment

                                                                  Monitor & Measure Compliance

                        Develop other missing controls (Physical, BCP etc.)

           Update Security Technologies (if needed)

   Security Awareness Program is a very important issue.
   A Tool is essential to make security policies visible across the organization and
   to translate policy objectives into actual compliance.
Registration Process

  Audit and Review of
                                  Choose a             Initial
  Information Security
                                  Registrar           Inquiry
  Management System

Quotation           Application                        Pre-
Provided            Submitted                       Assessment

 Phase 1
                     Phase 2
Undertake a                        Registration      Continual
                   Undertake a
 Desktop                            Confirmed       Assessment
                    Full Audit
                                  Upon Successful   Internal
                                    Completion      External
                                                       Continuing (every 6 months)
                                                       Re-Assessment (every 3 years)
Critical Success Factors

Ø Security policy that reflects business objectives
Ø Implementation approach consistent with company culture
Ø Visible support and commitment from management
Ø Good understanding of security requirements, risk assessment
   and risk management
Ø Effective marketing of security to all managers and employees
Ø Providing appropriate training and education
Ø A comprehensive and balanced system of measurement which is
   used to evaluate performance in information security
   management and feedback suggestions for improvement
Ø Use of automated Security Policy Management tool.
Closing Remarks
ISO27001 can be…

Ø Without genuine support from the top – a failure

Ø Without proper implementation – a burden

Ø With full support, proper implementation and
  ongoing commitment – a major benefit
Thank you for your time…

For more information please contact:

  ENCODE Middle East

  P.O. Box 500328
  Dubai Internet City
  Dubai – UAE
  Tel.: +971-4-3608430

Shared By:
Tags: 27001