Introduction to ISO/IEC 27001:2005 For ISACA Melbourne Chapter Technical Session 18 th of July 2006 AD Prepared by Endre P. Bihari JP of Performance Resources
What is ISO/IEC 17799? 2/20 Aim: Creating a common basis for organisational security standards development Enhance security management practice Provide best practice guidance based on practical industry experience Provide a structured framework for an organisation to examine & improve security Consists of Two Parts Part 1 Code of Practice for Information Security Management Part 2 Specification for Information Security Management Systems
History of ISO/IEC 17799:2005 Early 1990s Department of Trade and Industry (UK) produced an Information security management code of practice by a working group comprising experienced information security managers 1995 Code of Practice is published as a British Standard (BS 7799) 1999 Revised and updated (BS 7799-1:1999) BS7799-2 is published Late 1990s BS7799 is translated to different languages Adopted by several countries 2000 ISO/IEC 17799-1:2000 is published 2003 ISO/IEC 17799-2:2003 is published 2005 Revised and updated (ISO/IEC 17799-1:2005) 2006 BS 7799-3 is published 3/20
The ISO/IEC 27000 Standard Family ISO/IEC 27000 ISO/IEC 27007-27010 Allocation for future use Information security management system fundamentals and vocabulary ISO/IEC 27001:2005 Information security management requirements AS/NZS 7799-2:2003 4/20 ISO/IEC 27006:2007? Guidelines for information and communications technology disaster recovery services SS507 ISO/IEC 27002:2007? Code of practice for information security management ISO/IEC 17799:2005 ISO/IEC 27005 Information security risk management BS 7799-3:2006 ISO/IEC 27004:2006? Information security management metrics and measurement ISO/IEC 27003:2008? Implementation guide?
Structure and Relationship to Other Standards 5/20 ISO 9001:2000, ISO 14001:2004, ISO/IEC 27000 Alignment with other quality standards structure 0. Introduction 1. Scope 2. Normative References 3. Terms and Definitions 4. Management System 5. Management Responsibility 6. Audit 7. Management Review 8. Improvement 9. Annexes
ISO/IEC 27001:2005 Structure 6/20 The PDCA (Based on Deming s) Model (for every ISMS Process) PLAN (establish the ISMS) Section 4 DO (implement and operate the ISMS) Section 5 CHECK (monitor and review the ISMS) Section 6 & 7 ACT (maintain and improve the ISMS) Section 8 Control Objectives and Controls (from 17799:2005) OECD Principles Awareness Responsibility Response Risk Assessment Security Design and Implementation Security Management Reassessment Annex A Annex B
Benefits of ISO/IEC 27001:2005 7/20 Improvement in Understanding of the value of organisational information Confidence, confidence, satisfaction and TRUST Customer, business partner e.g. Handling their sensitive information Assurance level of organisational security & QUALITY Legal and regulatory compliance Organisational effectiveness of communicating security requirements Employee motivation and participation in security Management and handling of security incidents Ability to differentiate organisation for competitive advantage Credibility & reputation profitability
Why are there changes to ISO/IEC 17799:2003? 8/20 Emerging trends Governance Assurance Compliance new threats increased call for senior management commitment global call for more detailed assurance measures legal & regulatory pressures Managing risks whole risk management approach is now clearly understood and requires evidencing increased emphasis on continuous review
Improved Clarity 9/20 OLD Control Text CONTROL + Some implementation guidance & other supporting information NEW Control Text CONTROL IMPLEMENTATION GUIDANCE Specific control statement that satisfies the control objective List of more detailed implementation controls and related guidance that satisfies the control objective other implementation methods might exist and may be more appropriate OTHER INFORMATION Further explanation and information that might need to be considered at implementation other, related standards
10/20 13569 15489-2 15489-1 20000-2 13335-4 18028-5 18028-4 18028-3 18028-2 17944 15945 15816 15408 25000 18044 18043 SS 507 HB 221 13335-1 13335-1 15816 20000-1 13335-3 AS 3806 18045 ISO Standards Related to ISO/IEC 17799:2005 18028-1 14516 15945 15947 NFPA 1600 Security Policy Security Organisation Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management 15443-3 15443-2 15443-1 13335-2 Compliance ISO/IEC 17799:2005
Demystifying ISO/IEC 17799:2005 11/20 11 Clauses (or domains) 39 Control objectives functional requirement specification for ISM architecture 134 Specific controls Not mandated but Statement of Applicability! To be treated as a generic control menu to select from The Auditor s Standard Hundreds of best practice control measures Offering implementation guidance Not complete what is missing?
Steps Towards Certification 12/20 Development Implementation Stage 1 Audit Stage 2 Audit Surveillance & Re-assessment: Follow Up ISMS WG 3 rd Party Auditor(s)
Recommended Policy / Standards Hierarchy 13/20 Strategic (More generic) Laws, Regulations & Requirements Principles Policy WHAT IS REQUIRED Laws and Legislations ISO/IEC Standards Business Objectives CORE DIRECTION Statements of commitment STATEMENT OF INTENT Specifies what to do and why Tactical Standards CONTROL SPECIFICATION Statement and description of how resources are to be used (More specific) Procedures, Processes Baselines Guidelines, Practices KNOW HOW A written description of a course of action to be taken to perform a given task. [IEEE610] KNOW WHAT Provides the minimum level of requirements SHOW HOW Describes application and usage of controls Source: Performance Resources, used by permission
Recommended Policy Framework (Extended) 14/20 Source: Performance Resources, used by permission
15/20 Sample Documents 1 Policy Statements
16/20 Sample Documents 2 Domain Standard
17/20 Sample Documents 3 Purpose Specific Standards
What Constitutes a Good Policy? 18/20 Content over form Just because a document is called policy it does not mean it is a policy indeed Alignment with business needs Clarity Comprehensiveness Simple and practical Easy to maintain Accessible Supportive environment Enforceable and enforced
Development Consideration 19/20 Skills Knowledge of RFCs, ISO and other standards Clear and precise communication Intimate knowledge of information security (both technical and managerial) Time Cost Quality 10-13 days (policy) 5-7 days (standards) $800 - $1,600 per day Licensing immediate, for less than half of this cost! (available through Performance Resources)
Further Information 20/20 Further information is available at http://www.perfres.net/methodology.asp Or contact me Endre Bihari Mobile: 0414 35 15 58 Email: endreb@mail2me.com.au