Post on 09-Apr-2018
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 1/22
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 2/22
Agenda
Life Cycle Overview
Initiating
Planning
Executing Controlling
Closing
Q & A
Relational Life Cycles
The ISO 27001 approach
Business Benefits
Critical Success Factors Control Framework
Statement of Applicability
Scope Statement
Management¶s Responsibility
Capability Maturity Model
Topics
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 3/22
Ice breaker
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 4/22
Life Cycle Overview
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 5/22
Initiating
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 6/22
Control FrameworkInformation Security and Privacy
control framework is comprised of
multiple levels and specific controlpoints mapped from the
organizations business plans to
departmental goals and objectives
and strategic and tactical planning.
This diagram attempts to explain the relationship between each level of control within the framework and for over all
Confidentiality, Integrity and Availability of information assets and system resources.
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 7/22
Reduce risks and threats to the Confidentiality, Integrity and Availability of the
organization¶s Information Assets and System Resources by providing policies,practices and standards designed to mitigate or eliminate all known risks and threat.
Improve the effectiveness and efficiency of Security and Privacy Management by
implementing a world class best practice and framework for consistent, concise
security administration.
Improve effectiveness and efficiencies of existing security and privacy mechanismsby formalizing new practices to monitor compliance and maintain sensitive data
awareness.
Improve reassurance testing and validation outcomes by Internal Audit and External
Auditors to further assure the organization¶s Executive Management Team that the
organization¶s Information Assets and System Resources are in secure.
Reduce the likelihood that an accidental security incident or breach of personal
information caused by the organization¶s staff could have an adverse affect on the
organization¶s reputation or liabilities potentially leading to financial losses, by
providing an ongoing information security education and awareness program.
Business Benefits
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 8/22
Critical Success Factors Information security policy, objectives, and activities that reflect business objectives;
An approach and framework to implementing, maintaining, monitoring, and improvinginformation security that is consistent with the organizations culture;
Visible support and commitment from all levels of management, especially Executives;
A good understanding of the information security requirements, risk assessment, and riskmanagement;
Effective marketing of information security to all managers, employees, and other parties toachieve awareness;
Distribution of guidance on information security policy and standards to all managers,employees and other parties;
Provision to fund information security management activities;
Providing appropriate awareness, training, and education;
Establishing an effective information security incident management process;
Implementation of a measurement system that is used to evaluate performance in informationsecurity management and feedback suggestions for improvement.
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 9/22
Planning
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 10/22
ISO27k approach
Information Security Management System
´Plan-Do-Check-Actµ
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 11/22
Capability Maturity Model
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 12/22
Finalize the approval of the organization¶s information security policy
before initiating employee education and awareness
Facilitate managers meeting, and departmental meeting to providemanagers and employee with an ISO perspective tailored to their workenvironment
Facilitate employee education and awareness before conducting internalaudits against compliance with it
Conduct ISO27k conformance audits against employee compliance with theinformation security policy to provide assurance that the organization iscomplying with ISO27k standards
Build up 1 ± 3 months worth of evidence that the organization is complyingwith ISO27k standards before we can achieve certification
The ISO27k certification will provide our partners, members, clients /customers and regulatory officials with independent evidence of theorganizations standard-of-care for information protection
Critical Timeline Dependencies
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 13/22
Execution
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 14/22
Management·s ResponsibilityManagement commitment (ref. ISO27k clause 5.1)
Management shall provide evidence of its commitment to the establishment, implementation, operation,
monitoring, review, maintenance and improvement of the ISMS by:
a) establishing an ISMS policy;
b) ensuring that ISMS objectives and plans are established;
c) establishing roles and responsibilities for information security;
d) communicating to the organization the importance of meeting information security objectives and
conforming to the information security policy, its responsibilities under the law and the need for
continual improvement;
e) providing sufficient resources to establish, implement, operate, monitor, review, maintain and
improve the ISMS (ref. ISO27k clause 5.2.1);
f) deciding the criteria for accepting risks and the acceptable levels of risk;
g) ensuring that internal ISMS audits are conducted (ref. ISO27k clause 6); and
h) conducting management reviews of the ISMS (ref. ISO27k clause 7).
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 15/22
Documentation
Statement of Applicability (SoA) Matrix
Non-conformance Template Legal Obligations Matrix
Compliance Matrix
Asset Inventory Matrix
Standard Threat-Risk Assessment
Meeting Minutes Template Standard Communication Format
Status Reporting Template
Risk Treatment Plan
Standard Policy Format
Master Document Inventory
Standard Audit Plan Continual Improvement Plan
ISMS Manual
Risk Assessment Methodology
Audit Methodology
Internal Audit Practice
Document Control Practice
Corrective and Preventative Practice
Information Handling Practice
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 16/22
Scope
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 17/22
Statement of Applicability
Please note: ISO/IEC 27001 Statement of Applicability did not indicate that the
organization had an exclusion from the base ISO27k controls.
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 18/22
Legal Obligations
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 19/22
Control Matrix
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 20/22
Controlling
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 21/22
Scope Stage One Timeline
Oct Dec Aug Sept JanJuly
2007-08
Master Action Plan
Facilitate ISO27k training/awareness
BSI pre-certification assessment
Provide practice training as necessary
Implement ISO27k/ISMS program
Formalize ISO27k/ISMS Statement
of Applicability
Communications plan
BSI ± ISO27k/ISMS Nonconformities plan
Draft/Publish ISO27k/ISMS Policies
Coordinate a Desktop Review
Coordinate Full Audit
Registration Completed
GT05 Internal Audit Practice ref. # 6 & 4.3.1
GT02a Risk Treatment Plan ref. # 4.3.1
GT04 Continual Improvement ref. # 8 ± 4.3.1
GT02b Statement of Applicability ref. # 4.3.1
GT01 Management Review Practice ref. # 7
GT03 Information Handling Practice ref. # 7.1 - 7.2.2
ISO27k/ISMS Scope Statement
8/7/2019 CSPO ISACA ISO27k presentation v.02
http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 22/22
Questions