ISO/IEC 27001:2005 A brief introduction
Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
Information “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.” Ø Printed or written on paper Ø Stored electronically Ø Transmitted by mail or electronic means Ø Spoken in conversations Ø…
What is Information Security Ø ISO 27001 defines this as the preservation of:
security
Threats
Vulnerabilities
security
Integrity
Confidentiality
security
Safeguarding the accuracy and completeness of information and processing methods
Information
Ensuring that information is accessible only to those authorized to have access
Risks
Availability
security
Ensuring that authorized users have access to information and associated assets when required
Achieving Information Security 4 Ps of Information Security Policy & Procedures
People
Products
Drivers & Benefits of compliance with the standard
ISO27001 Drivers Ø Internal Business Drivers – – – – – –
Corporate Governance Increased Risk Awareness Competition Customer Expectation Market Expectation Market Image
Ø Regulators 9% 18%
Ø Reasons for seeking Certification according to a BSI-DISC survey
38%
35%
Best Practice Business Security Competitive Advantage Market Demand
Benefits of compliance [1] Ø Improved effectiveness of Information Security Ø Market Differentiation Ø Provides confidence to trading partners, stakeholders, and customers (certification demonstrates 'due diligence') Ø The only standard with global acceptance Ø Potential lower rates on insurance premiums Ø Compliance with mandates and laws (e.g., Data Protection Act, Communications Protection Act) Ø Reduced liability due to unimplemented or enforced policies and procedures
Benefits of compliance [2] Ø Senior Management takes ownership of Information Security Ø Standard covers IT as well as organization, personnel, and facilities Ø Focused staff responsibilities Ø Independent review of the Information Security Management System Ø Better awareness of security Ø Combined resources with other Management Systems (eg. QMS) Ø Mechanism for measuring the success of the security controls
ISO27001 Evolution
ISO27001/ISO17799/BS7799: History 1995
BS 7799 Part 1
1998 1999 Dec 2000 2002 2005
BS 7799 Part 2 New issue of BS 7799 Part 1 & 2
ISO 17799:2000 New BS 7799-2 New ISO 17799:2005 released ISO 27001:2005 released
ISO 27001, ISO17799 & BS7799 Standards Ø ISO/IEC 17799 = BS 7799-Part 1 Code of Practice for Information Security Management – Provides a comprehensive set of security controls – Based on best information security practices – It cannot be used for assessment and registration
Ø ISO 27001 = BS 7799-Part 2 Specification for Information Security Management Systems – Specifies requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS) – Specifies requirements for security controls to be implemented – Can be used for assessment and registration
Why BS7799 moved to ISO27001 Ø Elevation to international standard status Ø More organizations are expected to adopt it Ø Clarifications and Improvements made by the International Organization for Standardization Ø Definition alignment with other ISO standards (such as ISO/IEC 13335-1:2004 and ISO/IEC TR 18044:2004)
The ISO 27000 series
Ø Ø Ø Ø Ø Ø Ø
ISO 27000 ISO 27001 ISO 27002 ISO 27003 ISO 27004 ISO 27005 ISO 27006
– principles and vocabulary (in development) – ISMS requirements (BS7799 – Part 2) – ISO/ IEC 17799:2005 (from 2007 onwards) – ISMS Implementation guidelines (due 2007) – ISMS Metrics and measurement (due 2007) – ISMS Risk Management – 27010 – allocation for future use
ISO 27001 Overview
What is ISO27001? þ An internationally recognized structured methodology dedicated to information security þ A management process to evaluate, implement and maintain an Information Security Management System (ISMS) þ A comprehensive set of controls comprised of best practices in information security þ Applicable to all industry sectors þ Emphasis on prevention
ISO27001 Is Not… ý A technical standard ý Product or technology driven ý An equipment evaluation methodology such as the Common Criteria/ISO 15408 – But may require utilization of a Common Criteria Equipment Assurance Level (EAL)
Holistic Approach Ø ISO 27001 defines best practices for information security management Ø A management system should balance physical, technical, procedural, and personnel security Ø Without a formal Information Security Management System, such as a BS 7799-2 based system, there is a greater risk to your security being breached Ø Information security is a management process, not a technological process
ISO 27001:2005 - PDCA 4. Maintain and improve the ISMS • Take corrective and preventive actions, based on the results of the management review, to achieve continual improvement of the ISMS.
1. Establish the ISMS
3. Monitor and review the ISMS
• Establish security policy, objectives, targets, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.
• Assess and, where applicable, measure process performance against security policy, objectives and practical experience and report the results to management for review.
2. Implement and operate the ISMS • Implement and operate the security policy, controls, processes and procedures.
ISO 27001:2005 Structure Five Mandatory requirements of the standard: Ø Information Security Management System
• General requirements • Establishing and managing the ISMS (e.g. Risk Assessment) • Documentation Requirements
Ø Management Responsibility
• Management Commitment • Resource Management (e.g. Training, Awareness)
Ø Internal ISMS Audits Ø Management Review of the ISMS
• Review Input (e.g. Audits, Measurement, Recommendations) • Review Output (e.g. Update Risk Treatment Plan, New Recourses)
Ø ISMS Improvement
• Continual Improvement • Corrective Action • Preventive Action
The 11 Domains of Information Management Overall the standard can be put in : Security Policy Organization of Information Security
Asset Management
•
Human Resources Security Communications & Operations Management
Physical & Environmental Security
Information Systems acquisition, development and maintenance
Access Control Business Continuity Management Compliance
• •
Information Security Incident management
Domain Areas – 11, Control Objectives – 39, and Controls – 133
ISO27001 vs BS7799
ISO27001 vs BS7799 [1] BS7799
ISO 27001
Security Policy
Security Policy
Security Organisation
Organising Information Security *
Asset Classification & Control
Asset Management *
Personnel Security
Human Resources Security *
Physical & Environmental Security
Physical & Environmental Security *
Communications & Operations Management Access Control
Communications & Operations Management * Access Control
Systems Development & Maintenance
Business Continuity Management
Information Systems Acquisition, * Development and Maintenance Information Security Incident Management Business Continuity Management
Compliance
Compliance
* - new control/s added
ISO 27001 Implementation
Implementation Process Assemble a Team and Agree to Your Strategy
Define Scope
Identification of Information Assets
Determination of Value of Information Assets
Determination of Policy(ies) and the Degree of Assurance Required from the Controls
Review Consultancy Options
Identification of Legal, regulatory & contractual requirements
Identification of Control Objectives and Controls Statement of Applicability
Determination of Risk
Definition of Security Strategy & Organisation
Definition of Policies, Completion of Implementation of Standards, and ISMS Policies, Standards, Procedures to Documentation Implement the and Procedures Requirements Controls Update Statement of Applicability
Defining Scope and Participants
Contracts and agreements
ISMS Documentation Management framework policies relating to Level 1 ISO 27001
Security Manual Policy, Organisation, risk assessment, statement of applicability
Level 2
Level 3
Level 4
Describes processes – who, what, when, where
Procedure
Describes how tasks and specific activities are done Provides objective evidence of compliance to ISMS requirements
Work Instructions, checklists, forms, etc. Records
Implementation Issues Educate Personnel
Develop Documentation
Develop Security Select External Disseminate Policy Newsletter Consultant Approval by Continue Awareness Conduct Awareness CEO Acquire Policy Tool Sec Awareness Material
Enforce Policy ISO27001 Internal Assessment
ISO27001 External Assessment
Monitor & Measure Compliance Develop other missing controls (Physical, BCP etc.) Update Security Technologies (if needed)
Security Awareness Program is a very important issue. A Tool is essential to make security policies visible across the organization and to translate policy objectives into actual compliance.
Registration Process Audit and Review of Information Security Management System
Choose a Registrar
Initial Inquiry
Optional Quotation Provided
Application Submitted
Client Manager Appointed
PreAssessment
Phase 1 Undertake a Desktop Review
Phase 2 Undertake a Full Audit
Registration Confirmed
Continual Assessment
Upon Successful Completion
Internal External Continuing (every 6 months) Re-Assessment (every 3 years)
Critical Success Factors Ø Security policy that reflects business objectives Ø Implementation approach consistent with company culture Ø Visible support and commitment from management Ø Good understanding of security requirements, risk assessment and risk management Ø Effective marketing of security to all managers and employees Ø Providing appropriate training and education Ø A comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement Ø Use of automated Security Policy Management tool.
Closing Remarks
ISO27001 can be… Ø Without genuine support from the top – a failure Ø Without proper implementation – a burden Ø With full support, proper implementation and ongoing commitment – a major benefit
Thank you for your time… For more information please contact:
ENCODE Middle East P.O. Box 500328 Dubai Internet City Dubai – UAE Tel.: +971-4-3608430 http://www.encodegroup.com
[email protected]
www.encodegroup.com_