ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Transcription

1 ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

2 Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Printed or written on paper Stored electronically Transmitted by mail or electronic means Spoken in conversations

3 What is Information Security ISO defines this as the preservation of: Threats Safeguarding the accuracy and completeness of information and processing methods Vulnerabilities security security Information Integrity Confidentiality Availability security security Ensuring that information is accessible only to those authorized to have access Risks Ensuring that authorized users have access to information and associated assets when required

4 Achieving Information Security 4 Ps of Information Security Policy & Procedures People Products

5 Drivers & Benefits of compliance with the standard

6 ISO27001 Drivers Internal Business Drivers Corporate Governance Increased Risk Awareness Competition Customer Expectation Market Expectation Market Image Regulators 9% 18% 38% Reasons for seeking Certification according to a BSI-DISC survey 35% Best Practice Business Security Competitive Advantage Market Demand

7 Benefits of compliance [1] Improved effectiveness of Information Security Market Differentiation Provides confidence to trading partners, stakeholders, and customers (certification demonstrates 'due diligence') The only standard with global acceptance Potential lower rates on insurance premiums Compliance with mandates and laws (e.g., Data Protection Act, Communications Protection Act) Reduced liability due to unimplemented or enforced policies and procedures

8 Benefits of compliance [2] Senior Management takes ownership of Information Security Standard covers IT as well as organization, personnel, and facilities Focused staff responsibilities Independent review of the Information Security Management System Better awareness of security Combined resources with other Management Systems (eg. QMS) Mechanism for measuring the success of the security controls

9 ISO27001 Evolution

10 ISO27001/ISO17799/BS7799: History 1995 BS 7799 Part Dec BS 7799 Part 2 ISO 17799:2000 New issue of BS 7799 Part 1 & 2 New BS New ISO 17799:2005 released ISO 27001:2005 released

11 ISO 27001, ISO17799 & BS7799 Standards ISO/IEC = BS 7799-Part 1 Code of Practice for Information Security Management Provides a comprehensive set of security controls Based on best information security practices It cannot be used for assessment and registration ISO = BS 7799-Part 2 Specification for Information Security Management Systems Specifies requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS) Specifies requirements for security controls to be implemented Can be used for assessment and registration

12 Why BS7799 moved to ISO27001 Elevation to international standard status More organizations are expected to adopt it Clarifications and Improvements made by the International Organization for Standardization Definition alignment with other ISO standards (such as ISO/IEC :2004 and ISO/IEC TR 18044:2004)

13 The ISO series ISO principles and vocabulary (in development) ISO ISMS requirements (BS7799 Part 2) ISO ISO/ IEC 17799:2005 (from 2007 onwards) ISO ISMS Implementation guidelines (due 2007) ISO ISMS Metrics and measurement (due 2007) ISO ISMS Risk Management ISO allocation for future use

14 ISO Overview

15 What is ISO27001? An internationally recognized structured methodology dedicated to information security A management process to evaluate, implement and maintain an Information Security Management System (ISMS) A comprehensive set of controls comprised of best practices in information security Applicable to all industry sectors Emphasis on prevention

16 ISO27001 Is Not A technical standard Product or technology driven An equipment evaluation methodology such as the Common Criteria/ISO But may require utilization of a Common Criteria Equipment Assurance Level (EAL)

17 Holistic Approach ISO defines best practices for information security management A management system should balance p h y s i c a l, t e c h n i c a l, p r o c e d u r a l, and p e r s o n n e l s e c u ri t y Without a formal Information Security Management System, such as a BS based system, there is a greater risk to your security being breached Information security is a management process, not a technological process

18 ISO 27001: PDCA 4. Maintain and improve the ISMS Take corrective and preventive actions, based on the results of the management review, to achieve continual improvement of the ISMS. 1. Establish the ISMS Establish security policy, objectives, targets, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization s overall policies and objectives. 3. Monitor and review the ISMS Assess and, where applicable, measure process performance against security policy, objectives and practical experience and report the results to management for review. 2. Implement and operate the ISMS Implement and operate the security policy, controls, processes and procedures.

19 ISO 27001:2005 Structure Five Mandatory requirements of the standard: Information Security Management System General requirements Establishing and managing the ISMS (e.g. Risk Assessment) Documentation Requirements Management Responsibility Management Commitment Resource Management (e.g. Training, Awareness) Internal ISMS Audits Management Review of the ISMS Review Input (e.g. Audits, Measurement, Recommendations) Review Output (e.g. Update Risk Treatment Plan, New Recourses) ISMS Improvement Continual Improvement Corrective Action Preventive Action

20 The 11 Domains of Information Management Overall the standard can be put in : Organization of Information Security Security Policy Human Resources Security Asset Management Domain Areas 11, Control Objectives 39, and Controls 133 Physical & Environmental Security Information Systems acquisition, development and maintenance Access Control Communications & Operations Management Business Continuity Management Information Security Incident management Compliance

21 ISO27001 vs BS7799

22 ISO27001 vs BS7799 [1] BS7799 Security Policy Security Organisation Asset Classification & Control Personnel Security Physical & Environmental Security Communications & Operations Management Access Control Systems Development & Maintenance Business Continuity Management Compliance ISO Security Policy Organising Information Security * Asset Management * Human Resources Security * Physical & Environmental Security * Communications & Operations Management * Access Control Information Systems Acquisition, * Development and Maintenance Information Security Incident Management Business Continuity Management Compliance * - new control/s added

23 ISO Implementation

24 Implementation Process Assemble a Team and Agree to Your Strategy Define Scope Review Consultancy Options Identification of Information Assets Determination of Value of Information Assets Identification of Legal, regulatory & contractual requirements Determination of Risk Determination of Policy(ies) and the Degree of Assurance Required from the Controls Identification of Control Objectives and Controls Statement of Applicability Definition of Security Strategy & Organisation Definition of Policies, Standards, and Procedures to Implement the Controls Completion of ISMS Documentation Requirements Update Statement of Applicability Implementation of Policies, Standards, and Procedures

25 Defining Scope and Participants Contracts and agreements

26 ISMS Documentation Management framework policies relating to ISO Level 1 Security Manual Policy, Organisation, risk assessment, statement of applicability Level 3 Level 2 Describes processes who, what, when, where Describes how tasks and specific activities are done Procedure Work Instructions, checklists, forms, etc. Level 4 Provides objective evidence of compliance to ISMS requirements Records

27 Implementation Issues Develop Documentation Educate Personnel Develop Security Newsletter Select External Consultant Disseminate Policy Approval by CEO Acquire Conduct Awareness Policy Tool Sec Awareness Enforce Policy Material ISO27001 Internal Assessment Develop other missing controls (Physical, BCP etc.) Continue Awareness ISO27001 External Assessment Monitor & Measure Compliance Update Security Technologies (if needed) Security Awareness Program is a very important issue. A Tool is essential to make security policies visible across the organization and to translate policy objectives into actual compliance.

28 Registration Process Audit and Review of Information Security Management System Choose a Registrar Initial Inquiry Optional Quotation Provided Application Submitted Client Manager Appointed Pre- Assessment Phase 1 Undertake a Desktop Review Phase 2 Undertake a Full Audit Registration Confirmed Upon Successful Completion Continual Assessment Internal External Continuing (every 6 months) Re-Assessment (every 3 years)

29 Critical Success Factors Security policy that reflects business objectives Implementation approach consistent with company culture Visible support and commitment from management Good understanding of security requirements, risk assessment and risk management Effective marketing of security to all managers and employees Providing appropriate training and education A comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement Use of automated Security Policy Management tool.

30 Closing Remarks

31 ISO27001 can be Without genuine support from the top a failure Without proper implementation a burden With full support, proper implementation and ongoing commitment a major benefit

32 Thank you for your time For more information please contact: ENCODE Middle East P.O. Box Dubai Internet City Dubai UAE Tel.:

33