What email address or phone number would you like to use to sign in to Docs.com?
If you already have an account that you use with Office or other Microsoft services, enter it here.
Or sign in with:
Signing in allows you to download and like content, and it provides the authors analytical data about your interactions with their content.
Embed code for: ISO 27001 Introduction lecture
Select a size
Director of tehnology
Over 35 years of professional IT experience
Focus areas include Development, Architecture, Operations, Support
Work with a multi-national team delivering software for $5bn accounting firm
Work with private, public, and hybrid cloud solutions
.NET and java stack experience
What is ISO 27001
International standard designed to bring rigor around the implementation of security standards for any given company.
It accomplishes this through providing structure around an information security management system (ISMS) to properly document and implement your management system to ensure that security, risk, scope, assets, envirnonment, etc. are all managed properly.
When people talk about it they are actually talking about quite a bit more.
What are they really talking about
Creating a bunch of documentation
Assessing risk of a company
Identifying assets of the company
Going through a pre-audit
Going through the audit
Nope, on going mini-audit each year and full audit in third year
Why would you do this
Good for getting business
Good for protecting business
Good for knowing what you do
Good for documenting how you do “it”
What are the typical steps
Define the security policy
Define the scope
Conduct a risk assessment
Select controls and their objectives
Create your statement of aplicability
“Boil the ocean” or “Less is More”
What is better to do create the ISMS for the entire company or choose the smallest system possible and do it for that?
Sample Scope statements
The Information Security Management System (ISMS) applies to the provision of trusted and managed information security services to internal and external customers of <ORGANIZATION> in accordance with the ISMS Statement of Applicability revision xx, dated xx-xxx-xxxx
As stated in the Information Security Management System (ISMS) Statement of Applicability, revision xx, dated xx-xxx-xxxx, the ISMS encompasses <ORGANIZATION>’s Information Technology Division Office, Computer Lab, Storehouse and Computer Classroom, covering business activities relating to the provision of operation, maintenance and management of Internet and Web services and systems.
The provision of e-Business solutions that are fully integrated to deliver the complete process and management of e-Business components including: workflows; contacts; e-mail; bulletin boards; news; events; traffic analysis and audits on a secure hosted platform, 24 hours a day, 365 days a year, as per the Statement of Applicability approved by senior management on xx-XXX-xxxx.
Case 1 – Acme Widgets
You work for a $100 million company that has some good documentation already in place. You have roughly 20 major systems used by the company, well-defined departments and roles.
You are part of a team and will be working together to define the scope for your initial ISMS.
The main systems of your company are: HRIS (medium documentation), Inventory management (poor documentation), customer facing website (well documented), IDAM (medium documentation), and manufacturing control (well documented)
Group effort 1
Divide into 3 groups (count off)
Discuss what your initial scope will be
Create a scope statement to define what you will work with
Be able to justify why you selected what you did
Be able to discuss any concerns you foresee management having with your scope statement
Try to create your own unique scope statement, refer to sample
What did you think?
Was it hard?
Did you boil the ocean or go for less is more?
What would upper management think of your work?
Why do you think your approach was correct?
What comes next
Understanding what comes next is important
Twelve sections are addressed as part of your ISMS
If you think college is tough, just wait
1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
There are many sections…
There are many sections in the standard
Each takes significant time, investment, documentation, planning and execution
Templates do exist to make life a bit easier
Which sections do I need to do, which can I skip
Sections you need to do and skip
Ones you need to do:
Ones you can skip:
Why do them all?
You could conceptually try to not do them all
Auditors will challenge you and likely find a reason why you need to
Each section is important, but potentially not relevant (unlikely)
Risk Assessment (ISO 27005)
The risk assessment helps drive the ISMS. Through a review of the various risks of the company you will have a full appreciation of what needs to be handled.
What is a Risk versus an Issue?
Why would you care about risks?
Components of a risk
Cost per occurrence
Expanded cost (occurrence * cost per)
Action (live with, fix, transfer, avoid)
What is the best place to manage the risk? (central/enterprise by group)
If there is a risk, do you address it?
What happens if you don’t and it happens?
Case 2 – Acme Widgets
Now that you know the scope of your system, you are going to want to identify the risks for your company. Knowing and managing risks helps ensure that they do not happen, or that you are prepared for them.
Just because you have a risk, does not mean you will do anything about it.
A risk register often times is a living document, has dozens to hundreds of lines, causes stress for some.
Group Effort 2
Reassemble in your groups
Identify five to ten risks that you feel could be related to the system(s) you are using in your ISMS
Have fun with it, think about what could or will happen
Make sure you include your various fields
Spreadsheet, paper, any medium is fine
Be prepared to explain your risks and what should be done
What risks did you identify?
Did you decide to mitigate, monitor, transfer?
Should these be managed at the project, company or some other level?
What is the most significant risk you are facing?
What comes next?
There still are many sections left in the ISMS
Knowing your assets is a good next place
As you identify the assets the risks may change
Is this OK?
What is an asset
An asset is anything you feel you should track
Stealing from ITIL it could be anything that is a CI
What about cabling?
What about office supplies?
What about computers?
What about documentation?
Guidance for assets
You want to track anything that makes a difference to your company and that the cost of monitoring it is less than the cost of having it.
Decide to what level you will track. Each cable will be too much, all cables may be just right
Documents are assets too
What to track for assets
Certificate of Descruction
Group Effort 3
Go back to your groups
Identify a collection of assets that would matter for your ISMS
Fill out as many of the fields as possible
Be prepared to discuss what they are, why they matter
Are you at the right level? Why?
What do you care about these?
How often does this need to be updated?
What do you see coming from this?
What happens if it gets out of date?
After completing all 12 sections what happens?
After you have addressed all the points of consideration for each you often want to bring in a pre-auditor to make sure you did a good.
They will find things, this is good and expected.
When you have addressed them all go for the certification
Once you have the certification are you done?
Not even close!
You will have check-ups done once a year
You will have non-conformances
You will have to recertify
This is not a one and done type of effort
Take your time, do it right, document… document… document
After completing a