2. Information
“Information is an asset which, like other important
business assets, has value to an organization and
consequently needs to be suitably protected.”
–Printed or written on paper
–Stored electronically
–Transmitted by mail or electronic means
–Spoken in conversations
5. What is ISO27001?
– An internationally recognized structured
methodology dedicated to information security
–A management process to evaluate, implement and
maintain an Information Security Management
System (ISMS)
–A comprehensive set of controls comprised of best
practices in information security
–Applicable to all industry sectors
–Emphasis on prevention
6. Holistic Approach
–ISO 27001 defines best practices for information
security management
–A management system should balance physical,
technical, procedural, and personnel security
–Without a formal Information Security
Management System, such as a BS 7799-2 based
system, there is a greater risk to your security being
breached
–Information security is a a management process,
not
a technological process
12. Documentation Requirement
The ISMS documentation shall include:
a) documented statements of the ISMS policy and objectives
b) the scope of the ISMS
c) procedures and controls in support of the ISMS
d) a description of the risk assessment methodology
e) the risk assessment report
f) the risk treatment plan
g) documented procedures needed by the organization to ensure the effective
planning, operation and control of its information security processes and
describe how to measure the effectiveness of controls
h) records required by this International Standard
i) the Statement of Applicability.
13. Comparison Between ISO 9001 & ISO 27001
ISO 27001
ISO 9001
•
•
•
•
•
•
Quality Policy & Objectives
Quality Manual
6 Mandatory Procedures
Departmental Manual
Procedures, Work Instructions,
Guidelines
Formats, Checklist
•
•
•
•
•
•
•
•
•
•
•
•
•
ISMS Manual
Control Manual
5 Mandatory Procedures
Other Work Instructions, Procedures,
Guidelines required
Formats, Checklist Required
ISMS policy & objectives
a description of the risk assessment
methodology
the risk assessment report
the risk treatment plan
the Statement of Applicability
legal & contractual requirement
points considered in the management review
input include vulnerabilities or threats not
adequately addressed in the previous risk
assessment;
results from effectiveness measurements;