ISO27001 standard was revised and a new version was published in 2013. ISO27001 is also becoming more common Information Security standard among service providers. This presentation focuses on the recent changes in 2013 version and also the process for implementing and getting certified for ISO27001.
Following are the key objectives of this presentation:
Provide an introduction to ISO27001 and changes in 2013 version
Discuss the implementation approach for an Information Security Management System (ISMS) framework
Familiarize the audience with some common challenges in implementation
4. Overview
Most widely recognized security standard in the world
Process based to set up Information Security Management
System (ISMS) Framework
Addresses Information security across Industries
Comprehensive in its coverage of security controls
http://www.iso.org/iso/home/standards/certification/iso-survey.htm?certificate=ISO/IEC%2027001countrycode=US#countrypick
5. 5
Benefits
Culture and Controls
• ISO27001 is a culture one has to build in the organization which would help to:
– Increase security awareness within the organization
– Identify critical assets via the Business Risk Assessment
– Provide a framework for continuous improvement
– Bring confidence internally as well as to external business partners
– Enhance the knowledge and importance of security-related issues at the management level
• Combined framework to meet multiple client requirements/compliance
requirements
Compliance
Competitive
Advantage
Reduce
Cost
Process
Improvement
6. *ISO27000 Series
• 27000, Information Security Management System – Fundamentals
and vocabulary (13335-1)
• 27001, Information Security Management System – Requirements
• 27002, Code of Practice for Information Security Management
• 27003, Information Security Management System – Implementation
guidelines
• 27004, Information Security Management Measurements (metrics)
• 27005, Information Security Risk Management (13335-2)
Vocabulary
standard
Requirement
standards
Guideline
standards
27001
27005 27002
27004
* Few are mentioned here.
ISO27001 (certified) vs ISO27002 (compliant)
7. ISO 27001 2005 vs 2013
2013
1 Scope
2 Reference to ISO 17799:2005
3 Terms Definitions
4 ISMS
5 Management Responsibility
6 Internal ISMS Audits
7 Management Review of ISMS
8 ISMS Improvement
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement
2005
The revised version has a high level structure similar to other
management system standards to make integration easier when
implementing more than one management standards . Revision
addresses need to align information security management and its
strategy to the business strategy and make it adaptable for SME
* http://www.dionach.nl/blog/iso-27001-2013-transition-0
8. Major Changes
• Context of the organization
• Interested parties
• Interface/boundaries
• Align Organization strategies with security objective
• Risk assessment and treatment
• Asset Register is not mandatory
• Risk owner approval
• SOA control implementation status
• Objectives, monitoring and measurement
• Risk treatment and ISMS effectiveness
• Communication
• Documented Information
• Corrective preventive actions
http://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/
9. 2005
• Security Policy
• Organization of Information Security
• Assets Management
• Human Resource Security
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Information system acquisition, development
and maintenance
• Information Security Incident Management
• Business Continuity Planning
• Compliance
2013
• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and
maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business
continuity management
• Compliance
11 Clauses
(Domains)
39 Control
Objectives
133 Control
Activities
14 Clauses
(Domains)
35 categories
( control
objectives)114 Control
Activities
Annexure A (controls)
10. Annexure A (control structure)
A.7 Human resource security
A.7.1 Prior to employment
A.7.2 During Employment
14 Clauses
(Domains)
A.7.1.1 Screening
A.7.1.2 Terms and Conditions of Employment
A.7.2.1 Management responsibilities
A.7.2.2 Information Security awareness, education and
training
A 7.2.3 Disciplinary process
35 categories
( control
objectives)114 Control
Activities
11. New Controls
• 6.1.4 is Information security in project management
• 14.2.1 Secure development policy – rules for
development of software and information systems
• 14.2.5 Secure system engineering principles –
principles for system engineering
• 14.2.6 Secure development environment –
establishing and protecting development
environment
• 14.2.8 System security testing – tests of security
functionality
• 16.1.4 Assessment of and decision on information
security events – this is part of incident
management
• 17.2.1 Availability of information processing facilities
– achieving redundancy
Controls deleted
• 6.2.2 Addressing security when dealing with customers
• 10.4.2 Controls against mobile code
• 10.7.3 Information handling procedures
• 10.7.4 Security of system documentation
• 10.8.5 Business information systems
• 10.9.3 Publicly available information
• 11.4.2 User authentication for external connections
• 11.4.3 Equipment identification in networks
• 11.4.4 Remote diagnostic and configuration port protection
• 11.4.6 Network connection control
• 11.4.7 Network routing control
• 12.2.1 Input data validation
• 12.2.2 Control of internal processing
• 12.2.3 Message integrity
• 12.2.4 Output data validation
• 11.5.5 Session time out
• 11.5.6 Limitation of connection time
• 11.6.2 Sensitive system isolation
• 12.5.4 Information leakage
• 14.1.2 Business continuity and risk assessment
• 14.1.3 Developing and implementing business continuity plans
• 14.1.4 Business continuity planning framework
• 15.1.5 Prevention of misuse of information processing facilities
• 15.3.2 Protection of information systems audit tools
Control Changes
13. ISMS Process PDCA Model
Define Security
Policies
and Procedures
Implement and
manage
Security
controls/process
Implement identified
improvements,
corrective/preventive
actions
Review/ audit
security
management
and controls
People Process Technology
14. Implementation Approach
Project Set up Plan
Phase I Baseline Information Security Assessment
• Identify the scope and coverage of Information Security
• Assess the current environment
• Prepare baseline information security assessment report
Phase II – Design of Information Security Policy Procedures
• Establish Security Organization Governance
• Identify information assets and their corresponding information security requirements
• Assess information security risks and treat information security risks
• Select relevant controls to manage unacceptable risk
• Formulate Information security policy procedures
• Prepare Statement of Applicability
Phase III – Implementation of Information Security Policy
Phase IV- Pre Certification Audit
14
• Implementation of Controls
• Security Awareness training
• Review by Internal Audit and Management review
• Corrective Action and continuous improvement
15. Asset Profiling Risk Assessment
• Information Asset, is any information, in any format, used to operate and manage
business . It includes electronic information, Paper based assets, hardware assets
(servers, desktops, other IT equipments) software assets, Equipments and People .
Sl.no Asset Location Owner Custodian User Asset Number
Risk Factor = Asset Value * Exposure Factor* Probability of occurrence
15
16. Information Security Policy Management Documents
Statement of Applicability
Information Security Policy Document
16
Risk Assessment
Report
Contractual
Obligations
Business
Requirements
Legal or
Regulatory
Requirements
Information Security Procedures Document
Information Security Guidelines and Standards
Information Security Awareness Solutions
17. Implementation Cost Timeline
Implementation cost
• Acquiring knowledge (Training/Consultant)
• Implementation of process tools new technology
• Employees time (Training/ Risk Assessment)
• Certification body
Implementation key events Cost Factors
17
Number of Sites
Number of employees
Type of Industry
Existing process maturity
Number of Servers (IT Landscape)
• Security Organization
• Asset Profiling
• Risk Assessment
• Policies Procedures
Development
• Implementation
• Awareness Training
• Internal Audit
• Management Review
18. Common Implementation Challenges
• Business alignment (Management support)
• Allocation of security responsibilities-(IT department is the one who is driving
18
security)
• Process and People focus (not just technology)
• Communication and delivery of policies procedure (approachability and
availability of policy documents)
• Adequate deployment
• IT challenges
20. Stage 1 Audit (Desktop/Document Review)
• Desktop Review (Stage 1 Audit) enables the certifying body to gain an
understanding of the ISMS in the context of the organization’s security policy
and objectives and approach to risk management. It provides a focus for
planning out the Stage 2 audit and is an opportunity to check the preparedness
of the organization for implementation.
20
• It includes a documents review:
– Scope document
– Security Policy and Procedures
– Risk Assessment Report
– Risk Treatment Plan
– Statement of applicability
Security Manual
Procedures
Work
Instructions
, forms, etc.
Records
Policy, scope
risk assessment,
statement of applicability
Describes processes – who,
what, when, where
Describes how tasks and specific
activities are done
L2
Provides objective evidence of
compliance to ISMS requirements
L3
L4
L1
Certification Process
21. Mandatory Documents
List of certification body can be found at
Accrediting Body websites like
http://www.anab.org for USA, For Europe-http://
www.ukas.com and http://www.iaf.nu
for all accreditation body
http://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/
22. Certification Process… (Contd…)
Stage 2 Audit (Implementation)
• Based on Stage 1 Audit Findings the Certification Body produces Stage 2 Audit Plan
• It takes place at the site of the organization
22
• The Stage 2 audit covers:
– Confirmation that the organization is acting in accordance with its own policies,
objectives and procedures
– Confirmation that the ISMS conforms with all the requirements of the ISO
27001:2013 standard and is achieving the organization's policy objectives
Stage 3 - Surveillance and Recertification
• The certificate that is awarded will last for three years after which the ISMS
needs to be re-certified.
• During this period there will be a surveillance audit (e.g. every 6-9 months)
• After 3 Years one needs to go for recertification.
23.
24. THANK YOU
Resources
http://iso27001security.com/
http://www.iso27001standard.com/en
Email: 2contactshankar@gmail.com