Implementing an ISMS: Stories from the Trenches. Peter H. Gregory, CISA, CISSP, DRCE

Transcription

1 Implementing an ISMS: Stories from the Trenches Peter H. Gregory, CISA, CISSP, DRCE

2 About the speaker Peter H. Gregory, CISA, CISSP, DRCE Security and risk manager Author of 19 books on security / tech

3 About the speaker Security and Risk Manager $300MM Public company providing financial services ISO27001, ISO certified. SAS70 Type II, PCI, SOX audits.

4 InfraGard Evergreen State Chapter Critical Infrastructure Protection Training. Networking. Intelligence. Join today.

5 Why we run an ISMS Foundation of a Trust Platform Establish and improve credibility in our top-down security program Resist customer audits

6 Agenda What is an ISMS Background on ISMS & ISO How to get audited / certified Discussion / questions

7 What s s an ISMS Information Security Management System Top-down security management Organized security management Policy and risk based Defined in ISO27001:2005

8 What is ISO27001 International standard on information security management Management driven, risk-based, life cycle security management

9 Brief history of ISO BS7799 Part 2 in 1999 Became ISO27001 in 2005 Full name: ISO/IEC 27001: Information technology -- Security techniques -- Information security management systems Requirements Intended to be paired with ISO (former ISO 17799, formerly BS7799 Part 1)

10 27001 and is the body of ISMS management requirements is the body of controls (the code of practice ) You can use them together, or not

11 Adoption of ISO27001 Advantage: established and respected world-wide wide standard; traction in Europe and Asia Disadvantage: document cost; because it is not free, many have not seen it Gaining traction in the U.S.

12 Why ISO International standard International recognition Vetted If you follow it faithfully, you ll get your security right

13 Framework / Structure Required activities / processes Required documents Required records Do all that and you can be certified

14 Required processes Risk Assessment Risk Treatment Plan Incident Management Monitoring and Review Corrective Action Preventive Action

15 Required documents ISMS Scope Description ISMS Policy (High-Level) Asset Inventory Operational Procedures and Controls Internal Audit Plan, Procedure, and Schedule

16 Required records Evidence of Management Risk Decisions Evidence of Legal and Regulatory Review Evidence of Management Review

17 How to be audited Pick any security consulting firm with competent auditors who are familiar with / Give preference to certified ISMS auditors

18 How to get registered Be audited by a registrar BSI Americas (bsiamericas.com( bsiamericas.com) Bureau Veritas Certification Holding SAS ( ) KPMG (kpmg.com( kpmg.com) Perry Johnson Registrars (pjr.com( pjr.com) How to find a registrar ukas.com

19

20 How to get registered 1. Management commitment 2. Define security policy 3. Define ISMS scope 4. Perform risk assessment 5. Risk treatment 6. Select objectives and controls 7. Implement controls 8. Undergo audit by registered audit firm 9. If pass, receive certificate

21 Security Policy Use what you have or develop one Nothing sacred or special here Advice: use ISO as a guide

22 ISMS Scope Formal statement that describes the activities that are in scope for ISO registration

23 Risk Assessment Identify in-scope assets Identify threats, vulnerabilities Identify impact of threat realization Analyze risks

24 Risk Treatment Treat risks from the risk assessment Mitigate, avoid, transfer, accept Identify / create controls to mitigate Obtain approval for residual risk

25 Create / Select Controls Use (17799) as a guide Omit those you don t t need Add others

26 Implement Controls Processes Procedures Records

27 Get your audit Get your certificate, hopefully!

28 Recap: Required processes Risk Assessment Risk Treatment Plan Incident Management Monitoring and Review Corrective Action Preventive Action

29 Recap: Required documents ISMS Scope Description ISMS Policy (High-Level) Asset Inventory Operational Procedures and Controls Internal Audit Plan, Procedure, and Schedule

30 Recap: Required records Evidence of Management Risk Decisions Evidence of Legal and Regulatory Review Evidence of Management Review

31 And now for those stories what would you like to know?

32 More information iso.org or ansi.org purchase CHF = US$ on 10/27/08 bsiamericas.com, kpmg.com, pjr.com iso safemode.org iso27001.org - information

33