ISACA ISO 27K Presentation

8/7/2019 ISACA ISO 27K Presentation

1/38

Slide 1

Information Security Management Systems

An ISO 27001 IntroductionMahmood Justanieah

ISACA-Jeddah Technical Meeting

18-March-2009


2/38

Slide 2

19h00

Information Security ISO 27001: 2005 and ISO 27002:2005

Control objectives and controls

Deffrinces between ISO 27001 & other StandardsITIL, Cobit, ISO 20000

19h45: Questions & Answers

20h00 Closure


3/38

Slide 3

Section 1

Information Security


4/38

Slide 4

Compliance requirements, new notification laws and the growing ofbreaches have made organizations aware they need a structured

approach to data security.

Organizations are increasingly dependent on information assets

Information users (internal & external) are demanding increasedavailability

The number of incidents that threaten the continuity of operations isgrowing

A single security breach can:

destroy a companys Image

depress the value of the business

erode the bottom line; and

compromise future earnings

Scenario


5/38

Slide 5

For 2007, per-record compromised costs continued to increase (2007 AnnualStudy: US Cost of Data Breach- research conducted by Ponemon Institute LLC).

The average total cost per reporting company was more than 6.3 million USDollars per breach and ranged between 225.000 to almost 35 million

Data breach costs


6/38

Slide 6

Cause of data breach Lost or stolen laptops and other devices such as USB flash drivers were the

most significant source of a data breach. (2007 Annual Study: US Cost of DataBreach- research conducted by Ponemon Institute LLC)


7/38

Slide 7

Risks and Threats

Data Breach

Media attention

Breach notifications

Brand degradation

Government Agency Audit

Customer Complaint

Government Agency s finding/order

Litigation

Loss of customer

Non-Compliance

Restrictions on business activities

Loss of a contract

New privacy controls

Publicly named through aCommissioners order or legalproceedings

Over-Compliance

Unnecessary restrictions on businessactivities

Decreased customer satisfaction

Competitive disadvantage


8/38

Slide 8

Information as an Asset

Information is:

An asset that, like other important business assets, is essentialto an organizations business and consequently needs to besuitably protected.

Source: ISO/IEC 27002:2005 Section 0.1

Asset Definition:

anything that has value to the organization

Source: ISO/IEC 27001:2005, 3.1


9/38

Slide 9

Information Security not IT Security

Information must be protected throughout its entire lifecycle:

Creation

Storage

Processing

Distribution

Information must be protected independent from its format or media

Not IT

Paper document (on desks, in waste bins, left on photocopiers)

Whiteboards conversations overheard

Conversations on public transports

People


10/38

Slide 10



preservation ofconf ident ial it y, integr it y and avail abil it yof

information; in addition, other properties, such as authenticity,

accountability, non-repudiation, and reliability can also be involved

Source: ISO/IEC 27001:2005

Confidentiality: Ensuring that information is accessible only to thoseauthorized to have access. Clause 3.3 of ISO/IEC 27001

Integrity: Safeguarding the accuracy and completeness of information and

process methods. Clause 3.8 of ISO/IEC 27001

Availability: Ensuring that authorized users have access to information andassociated assets when required. Clause 3.2 of ISO/IEC 27001


11/38

Slide 11

Information Security Management System

Information Security Management System (ISMS)

That part of the overall management system, based on a business riskapproach, to establish, implement, operate, monitor, review, maintain andimprove information security

Is a Management Process and Not a technological process

Strategic decision of an organization

Design and implementation

Needs and objectives

Security requirements

Processes employed

Size and structure of the organization

Scaled with needs


12/38

Slide 12

Section 2

ISO 27001: 2005 and ISO 27002:2005


13/38

Slide 13

The History of ISO 27001

1992The Department of Trade and Industry (DTI), which is part of the UK Government,

publish a 'Code of Practice for Information Security Management'.

1995This document is amended and re-published by the British Standards Institute (BSI) in

1995 as BS7799.

1996

Support and compliance tools begin to emerge, such as COBRA.David Lilburn Watson becomes the first qualified certified BS7799 Auditor

1999The first major revision of BS7799 was published. This included many major

enhancements.

Accreditation and certification schemes are launched. LRQA and BSI are the first

certification bodies.

2000In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It

becomes ISO 17799 (or more formally, ISO/IEC 17799).


14/38

Slide 14

The History of ISO 27001

2002

A second part to the standard is published: BS7799-2. This is an InformationSecurity Management Specification, rather than a code of practice. It begins

the process of alignment with other management standards such as ISO

9000.

2005

A new version of ISO 17799 is published. This includes two new sections, andcloser alignment with BS7799-2 processes..

2005

ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a

specification for an ISMS (information security management system), which

aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001.


15/38

Slide 15

ISO 27001

There are two closely related standards:

ISO/IEC 27001 is a standard specification for requirements of anInformation Security Management Systems (ISMS).

ISO/IEC 27002:2005 is the standard code of practice and can beregarded as a comprehensive catalogue of good security things to do.

ISO/IEC 27001

Specifies requirements:

For establishing, implementing, operating, monitoring, reviewing,maintaining and improving a documented ISMS

Designed to:

Ensure adequate security controls to protect information assets,documenting ISMS

Give confidence to customers & interested parties


16/38

Slide 16

Other related standards

ISO/IEC 27006 - Information technology -- Security techniques - Requirements forbodies providing audit and certification of information security management systems

ISO/IEC FDIS 27011 - Information technology -- Information security management

guidelines for telecommunications

SSE-CMM, Software Security Engineering Capability Maturity Model, nowreleased as ISO 21827: 2002

Helps organizations determine their security maturity relative to a set of capabilitymetrics

Under development

ISO/IEC 27000 - an introduction and overview for the ISMS Family of Standards, plus aglossary of common terms

ISO/IEC 27003 - ISMS implementation guide

ISO/IEC 27004 - information security management measurements

ISO/IEC 27005 - information security risk management

ISO/IEC 27007 - guideline for auditing ISMSs

ISO/IEC 27011 - guideline for ISMSs in the telecommunications industry

ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry


17/38

Slide 17

Process Approach

ISO 27001 has adopted a Process Approach, which means an organizationneeds to identify and manage many activities in order to function effectively

Any activity using resources and managed in order to enable thetransformation ofInputs into Outputs, can be considered to be a Process

Inputs >>>>>>> Process >>>>>>> outputs*

*Often, outputs from one process provide inputs into the next

Process approach for ISMS encourages users to emphasize the importance of:

understanding an organizations information security requirements and the need toestablish POLICY and OBJECTIVES for information security

implementing and operating CONTROLS to manage an organizations information

security risks in the context of the organizations overall business risks monitoring and reviewing the performance and effectiveness of the ISMS, and

CONTINUAL IMPROVEMENT based on objective measurement


18/38

Slide 18

PDCA

Plan, Do, Check, Act is to be applied to structure all ISMS processes

Figure illustrates how an ISMS takes the information securityrequirements and expectations of the interested parties and, throughthe necessary actions and processes, produces information securityoutcomes that meets those requirements and expectations


19/38

Slide 19

PDCA

The continuous change of the company, technology and societyrequires a process of continuously evaluating the effectiveness andefficiency of all security controls and adopting the security system to

changing requirements.

This results in a control loop known as PDCA model:

Plan and implement security controls

Operate security controls

Monitor the security system and the world around you

Initiate necessary change of the security system


20/38

Slide 20

Compatibility with other management systems

ISO 27001 is aligned with ISO 9001:2000 and ISO 14001:2004 in orderto support consistent and integrated implementation and operationwith related management standards.

ISO 27001 illustrates the relationship between its requirements, ISO9001:2000 and ISO 14001:2004.

This International Standard is designed to enable an organization toalign or integrate its ISMS with related management system

requirements.

.


21/38

Slide 21

Compliance to ISO/IEC 27001

All clauses in ISO/IEC 27001 are mandatory

Risk treatment plan based on risk assessment

Documentation supporting various clauses

Statement of applicability based on scoping, justifying the choice ofcontrols

Annex A lists mandatory controls to choose from

Valid justification must be documented to eliminate a control

Chosen controls must be documented for audit purposes

Certification to the standard requires that all clauses be implemented


22/38

Slide 22

Process Flow for Information Security

Define the information

security policy

Define the scope of ISMS

Undertake risk

assessment

Manage the risk

Select control objectives

and controls to be

implemented

Step 1

Step 2

Step 3Threats, Vulnerabilities,

Impacts

Step 4Organizations

approach

to risk management

Degree of assurance

required

Step 5Control Objectives

and controls

Additional Controls

Information Security policy

Scope of ISMS

Risk assessment

Areas of risk to be managed

Statement of Applicability

Information Assets

Selected control options

Results and conclusions


23/38

Slide 23

Implementation of an ISMS - Plan

Establish and manage the ISMS

Scope and boundaries

Policy / objectives

Define risk assessment approach

Identify risks

Analyse and evaluate the risks

Identify and evaluate options for treatment of risks

Select control objectives & controls (Annex A)

Obtain management approval of the proposed residual risks

Obtain management authorisation to implement and operate the ISMS

Prepare a Statement of Applicability


24/38

Slide 24

Implementation of an ISMS - Do

Implement and operate the ISMS

Formulate risk treatment plan

Implement risk treatment plan

Define how to measure effectiveness of selected controls

Implement controls selected to meet control objectives

Implement training and awareness

Manage operations and resources

Implement procedures and other controls


25/38

Slide 25

Implementation of an ISMS - Check

Monitor and review the ISMS

Execute monitoring procedures and other controls

Undertake regular reviews of the effectiveness of the ISMS

Measure effectiveness of controls

Review risk assessments at planned intervals

Review level of residual risk and identified acceptable risk

Internal ISMS audits / Management review

Update security plans

Record actions and events


26/38

Slide 26

Implementation of an ISMS - Act

Maintain and improve the ISMS

Implement identified improvements

Take appropriate corrective and preventive actions

Communicate the actions and improvements

Ensure improvements achieve intended objectives


27/38

Slide 27

Section 3

Control objectives and Controls


28/38

Slide 28

The only system which is truly secure is one which isswitched off and unplugged, locked in a titanium lined

safe, buried in a concrete bunker, and is surrounded bynerve gas and very highly paid armed guards. Eventhen, I wouldnt stake my l ife on it.

Gene Spafford

Director, Computer Operations, audit, and SecurityTechnology (COAST - Computer Operations, Audit and

Security Technology)

Purdue University


29/38

Slide 29

Purpose of controls in ISO/IEC 27002/27001

27002 specifies aspects of an effective information protectionprogram suitable to the needs of business and industry

Protection in 27002 is based on assuring integrity, availability, andconfidentiality of corporate information assets

Assurance is attained through controls that management creates andmaintains within the organization.

Ten of the controls are considered "Key Controls" because they areeither legislatively required or considered fundamental buildingblocks


30/38

Slide 30

ISO 27002 domains

Security Policy

Organization of Information Security

Asset management

Human resources security

Physical and environmental security

Communications and Operations Management

Access Control

Information Systems Acquisition, Development and Maintenance

Information Security Incident Management

Business Continuity Management

Compliance


31/38

Slide 31

Selection of Controls

Additional control objectives and controls:

Organization might consider that additional control objectives andcontrols are necessary

Not all the controls will be relevant to every situation:

Consider local environmental or technological constraints

In a form that suits every potential user in an organization

Choice of controls


32/38

Slide 32

C o ce o co t ols

Controls considered to be essential to an organization from alegislative point of view include:

intellectual property rights (see 15.1.2)

safeguarding of organizational records (see 15.1.3)

data protection and privacy of personal information (see 15.1.4).

Controls considered to be common best practice for informationsecurity include:

information security policy document (see 5.1.1)

allocation of information security responsibilities (see 6.1.3)

information security education and training (see 8.2.2)

reporting information security events (see 13.1.1)

Information security aspects of business continuity management (see14.1)


33/38

Slide 33

Section 4

Differences with Other Standards

ITIL, ISO 20000, Cobit


34/38

Slide 34

Definitions

COBIT

Cobit stands for Control Objective over Information and Related Technology.Cobit issued by ISACA (Information System Control Standard) a non profit

organization for IT Governance. The Cobit main function is to help the

company, mapping their IT process to ISACA best practices standard. Cobit

usually choosen by the company who performing information system audit,

whether related to financial audit or general IT audit.

ITIL

ITIL stands for Information Technology Library. ITIL issued by OGC, is a set of

framework for managing IT Service Level. Although ITIL is quite similar with

COBIT in many ways, but the basic difference is Cobit set the standard by

seeing the process based and risk, and in the other hand ITIL set thestandard from basic IT service.


35/38

Slide 35

ISO27001

ISO27001 is much more differentbetween COBIT and ITIL, because

ISO27001 is a security standard,

so it has smaller but deeper

domain compare to COBIT and

ITIL.

Here is the detail table ofcomparison between this three

standard

Comparison

AREA COBIT ITIL ISO27001

FunctionMapping IT

Process

Mapping IT

Service LevelManagement

Information

SecurityFramework

Area

4 Process

and 34

Domain

9 Process 10 Domain

Issuer ISACA OGC ISO Board

Implementation

InformationSystem Audit

ManageService Level

Compliance

to securitystandard

Consultant

Accounting

Firm, IT

ConsultingFirm

IT Consulting

firm

IT Consultingfirm,

Security

Firm,NetworkConsultant


36/38

Slide 36


37/38

Slide 37

Q&A


38/38

Slid 38

[email protected]

ISACA ISO 27K Presentation

Documents

Transcript of ISACA ISO 27K Presentation