Slide 1

ISO 27001 information security management

system

Hello everyone!
Within Bkis Certified Security Essential (BCSE) training, there is one part relating to
Information Security in accordance with ISO 27001 standard. When dealing with ISO,
most people think immediately about ISO 9001 containing the quality management
standards. However, in fact, there are many standards regarding various areas such as
ISO 14000 containing environment standards, ISO 2200 containing foods safety… and
nowadays, for network security, we know further 01 standard as ISO 27001.
Slide 2

Why should we apply ISO 27001?

So, Why should we apply ISO 27001?

Slide 3

Why should we apply ISO 27001?

For examples, what should we do when this laptop should be protected?

1 –Lock such laptop at your table when leaving the table.
2 –Code data in such laptop.
3 - Or more carefully, we shall always take such laptop all day long.
Slide 4

Why should we apply ISO 27001?

How many methods

are there?
enough?

However, whether these measures are enough.

Slide 5

Why should we apply ISO 27001?

Total:

14 CONTROL ARTICLES

35 CONTROL TARGETS
114 CONTROL MEASURES

To settle above question, we should apply ISO 27001 standard because this standard
provide us with 14 control articles, 35 control targets and 114 control measures.
Slide 6

Advantages when applying ISO 27001

Find and settle promptly the
risk of communication security.
Ensure communication security
of the whole system:
Ensure the continuity in
business
Dominate the competition,
ensure brand
Comply with the law

Advantages when applying this standard kit as follows:

1 –Find and settle promptly the risk of communication security. Ensure communication
security of the whole system: Returning to the example above, how to protect your
laptop? We should identify and analyze the risk that is able to occur for laptop, thereby
making measures of risk control accordingly. For analysis of risk, we shall discus more
carefully in the next section of program.
2 – Ensure the continuity in business: When the risk has had the control measures,
business operation of organization shall not be interrupted, not affect process of service
supply of organization.
3- Dominate the competition, ensure brand. => make customer reliant about product,
service provided by organization. For organization trading software is required to
develop this system.
4 - Comply with the law. Comply with the law of the host country: such as Intellectual
property law requires that used software must have copyright.
Slide 7

INFORAMTION SECURITY MANAGEMENT

SYSTEM UNDER ISO 27001 STANDARD

Here, we shall learn carefully about ISO 27001 standards.

Slide 8

Several main terms

Requirements: Firm, ISO 27001

Standard, Law, Client.

Conformity: Meet the Thực tế Yêu cầu

requirements

Nonconformity: Do not meet

the requirements

First of all, we shall become familiar with some terms that we shall use later:
1 - Requirements: legibility, specific criteria, thereby people are able to do.
For examples: Everyone is not allow going to work late, How is late
calculated?…Requirement should be shown clearly that going to work late means after
8 am.
2 - Conformity and Nonconformity: There has no Right/Wrong view here, only
Conformity and Nonconformity with requirement shown.
For example: Staff A says: Password should contain 50 letters to ensure security, staff B
says: Password contains 9 letters, but it must contain special letter, it just ensure
security because he knows that 50 letters are too long, and inconvenient upon working.
So, here, we shall not determine who is right, who is wrong, we shall base on proposed
requirements, thereby determining who is conformable and who is nonconformable. For
examples, Organization showed requirement that password must contain 8 letters,
including capital letter and special letter => password is conformable if it is performed
under such requirement, and it is nonconformable if it does not meet the certain criteria.
According to above 02 examples, both two people are nonconformable with the
requirement.
Slide 9

What is ISO?
International Organization for
Standardization
Established in1947, head office in
Geneve, Switzerland
Currently, SO has 164 members ,
in which 111 full members, 49
news members và 4 registered
members
VN is official member of ISO from
1977

Firstly, we shall learn about ISO organization which is responsible for developing and
issuing standard series.
Slide 10

ISO 27000 Standards series

ISO 27000 - 2009: Overview and Vocabulary
ISO 27001 - 2013: Requirements
ISO 27002 - 2013: Code of practice for
information security
ISO 27003 - 2010: Guidance in implementing
an ISMS (PDCA)
ISO 27004 - 2009: Measures and measurement
ISO 27005 - 2008: Risk management
ISO 27006 - 2007: Audit and certification
10

ISO 27001 standard belongs to ISO 27000 standard series, these series include
standards as follows:
27000: definitions and vocabulary. In which, provide definition of terms using regularly in
other standards of this standard series. In previous slide, we have become familiar with
terms of Requirement, Conformity and Nonconformity, these terms are also defined
clearly in 27000 standard.
27001: Requirements: This standard series give requirements that need to be complied
with by organization before implementing ISO system. This is foundation to assess
whether such organization is conformable with shown standard or not for purpose of
getting certificate or not.
27002: Rules of communication security management practice.
27003: Instruction of ISMS system setting in accordance with PDCA model.
27004: System measurement. Purpose of system measurement: when developing
system, we shall have may targets  measure to see whether these targets are
achieved or not.
27005: Risk management. Standards delve into assessment manner and risk control.
27006: Assessment and certificate. These standards apply for the units containing the
functions of assessment and confirmation to other organizations. These units can only
be permitted granting certificate when they have obtained ISO 27006 themselves.
The most significant standard of these standard series is ISO 27001 because these
standard series provide the requirements that organizations must meet it if wanting to
apply the system. Other standards can only act of supporting for the process of
implementation and development in accordance with ISO 27001.
Slide 11

What is ISO 27001:2013?

Information Security Management System –

Requirements
 Issued by ISO

 Ordinal number 27001

 Issued in 2013

11

Well, Why is standard named ISO 27001:2013?

Information Security Management System – Requirements
Issued by ISO organization
Ordinal number 27001
Issued in 2013. In terms of ordinal number, when idea about these standard series was
planned, people numbered it.
Slide 12

History of development

2/ 1995 – Issued BS 7799 Section 1

2/ 1998- Issued BS 7799 Section 2
12/ 2000- Issued ISO 17799
16/06/2005- Issued BS ISO/IEC 17799
(Section 1-BS 7799)
18/10/2005- Issued BS ISO/IEC 27001
(Section 2-BS 7799)
01/10/1013 – Issued ISO 27001:2013

12

Former standard series of this standard series was BS 7799 of England Institute of
Standardization. In this time, standard series only applied to organizations in connection
with software in UK. However, organization has improved this BS 7799 standard series
when receiving it in order to apply many more lines of business, as well as applying
widely many countries over the world.
Recently, ISO has improved this standard series and reissued on October 2013. Now, a
certificate obtained by most organizations is ISO 27001:2005, these certificates are still
valid, however, organization should have conformable indirection to transfer such
certificates into ISO 27001:2013, and duration of these transfer is the end of 2015.
Slide 13

ISO 27001 - Information Security Management System

What is Information Security

Management System?
Model of Information Security
Management System
Process of System development

13

We shall learn ISO 27001 standard series - Information Security Management System
Contents of this section include:
What is Information Security Management System?
Model of Information Security Management System
Process of System development
Slide 14

Information

Documents Databases Website

Information is an important
“asset”!!!
14

There are 03 types of information as follows:

1- We can see it: things contain information such as dish.
2: We can see and touch: for examples, we buy 01 computer, we start-up it and copy
some technologies inside it.
3. Invisible type like speech, but bringing knowledge or important contents, affecting
actives of individuals or organizations.

Thus, Information can exist in many forms: tangible, invisible  However, although
information exits in any forms, or storages and shares by any means, it always needs to
be protected appropriately. According to ISO/IEC 27002: 2005 definition, information is
asset and like any other business assets, it is worth for organization, so it must be
protected.
To protect information, we must aware the processes relating to such information.
Slide 15

Information and information security

Operations related to the information
Created Stored Processed

Transmitted Used

Unexpected problems
 Lost
 Corrupted
 Destroyed
 …

15

Below are the activities relating to information:

Creating information: typing on a Word document
Storing information: on the computer  soft copy or store in cabinets in case of hard
copy.
Handling: delete, edit the information as needed => Transfer: deliver the information to
others: via email; Use the information.
And revolving round the activities, unexpected incidents might occur such as:
Lost (L): Information is leaked
Corrupted (C): Information has been modified illegally.
Destroyed (D): Information is lost completely. For example: The computer is hacked,
and hacker takes the whole of data stored in that computer.
Slide 16

What is information security?

CIA
 C: Confidentiality
 I: Integrity
 A: Availability
C I
A

C.I.A Triad
16

When above incidents occur and affect directly information, one should not disregard
C- Confidential: Information is not disclosed to individuals and entities outside list having
right to access information.
I – Integrity: Protect the accuracy and completeness of information
A – Readiness: Information can be accessed and used as required from entities having
right to access information

In general, to ensure Communication Security, one usually balances among 03 CIA

properties, however, depending on characteristics of business line of organization,
organization can adjust proportion of properties of C and A. For examples, organization
in the field of banking and finance gives prominence to the integrity, so requirement of
password setting is more complicated than password of other organization, thus the
integrity shall be reduced.
Slide 17

Information Security Management System

Information security management system is a part of general

management system, based on foundation of risk analysis
activity, thereby developing, running, checking, monitoring,
maintaining and improving system (ISO 27000)

17

Information security management system is a part of general management system,

based on foundation of risk analysis activity, thereby developing, running, checking,
monitoring, maintaining and improving system (ISO 27000)
Foundation is risk analysis: risk of assets  find out reasons of risk  select
appropriate control methods.
Nothing is absolutely safe; vulnerability shall appear from time to time => Absolute
management is impossible, so depending on level of risk, manager accepts. If accepting
high risk, we shall manage loosely, and in case, risk is low, we shall manage tightly =>
The management is based on the voluntary. The system should be managed well.
Improvement: Through supervision process, in case, many problems of system cause
the difficulties of organization’s activities, such system should be improved.
Slide 18

Model of Information Security Management System

18

PDCA is general management model of many systems such as: Communication

Security, and quality.
P - Plan: Give factors to explain that what is resource? criteria ? and limitation?
D – Development: Implementation, monitoring, data collection
C –Check: Compare between plan and actual development.
A – Improvement: How do continuous improvement?
There are 02 important words thereto. Plan as giving the requirements so that people
implement. For examples, organization request staff not to be allowed going to work
later, after 8 am; if there has no this requirement, people shall go surely to work at
various hours.
Secondly, Check because of giving the requirement, no one knows that implementation
of staff is conformable or nonconformable. Therefore, to determine this implementation,
check must be conducted to find out breaches. And, this check must be based on
evidences because conclusions must depend on specific evidences.
During operation, organization must implement many various PDCA cycles.
Slide 19

Requirements of standard– General Requirements

19

Corresponding to the PDCA model as stated in above slide as General requirements of

standard, in which green is P, blue is P, Yellow is C, red is A.
4 –Background of organization
Require organization to identify the internal and external problems.
Require clearly about considering concerned parties.
Help to identify policies and targets of communication security and how to consider the
risk and effects of risk on business activities.
Requirements of concerned parties can also include requirements of legislation and the
provisions of contract.
5 –Leadership
Describe the specific requirements for role of the highest leader in ISMS.
Give specific manners that leaders expressed their commitment to the system. For
examples, Ensure required human resources to the implement of system; Notify the
importance of Communication Security Management and the conformity of standards.
Ensure the responsibilities and rights relating to Communication Security identified and
notified.
6 –Planning
Establish Communication Security targets and guide the rules to the whole of system.
Consider the risks and chances in the context of organization.
Consider the Communication Security targets. These targets must ensure under smart
rule. (specific, Measurable, Achievable, Relevant, and Time-bound)
Develop SOA
7 –Support
Require the supporting in establishment, application, maintenance, and continuous
improvement of system, including: Requirement of human resources, Capacity of
mobilized individuals, Awareness and exchange of information with concerned parties,
Requirements of materials management.
8 –Operation:
Require the organization prepares plan and controls the operation in accordance with
the requirements of standards. Most importantly, organization must make risk
assessment periodically and handle the risk.
9 –Assessment of implementation results
Assess the inner, review of leader as key method and instrument to improve
continuously the implementation results.
Give the specific requirements in connection with measure of effect of the system.
10 –Improvement
Nonconformity is settled together with remedy.
Continuous improvement as basic requirement.
Slide 20

Requirements of standard- Annex A

20

A5 –Communication Security Policy

A6 –Communication Security Organization
A7 –Human Resources Security
A8 –Assets Management
A9 –Access Control
A10 – Code
A11 – Physical and Environmental Security
A12 –Operation Security
A13 - Data Transmission Security
A14 –Receiving, Development and Maintaining of System
A15 –Relationship of Providers
A16 –Communication Security Incident Management
A17 –Communication Security aspects of continuity management of business
operations
A18 –Conformity
Application or non- application of control measures in Annex A must be recognized in
SOA document of organization and what is explanation of selection of application or
non- application?
Slide 21

Analysis of risk (1)

Threat
 Latent reasons of undesired incidents, harming to the
system
 Vulnerability
 Weaknesses of system
Impact
 C, I, A
Risk
 As potential that a threat exploits vulnerability of an
asset or assets leading to the damages to
organization.
21

- Threat: Latent reasons of undesired incidents, harming to the system

For example, for 01 laptop, the threat such as be stolen, data in laptop is hacked.
- Vulnerability: As local weaknesses of the system, thereby the threat is able to impact
our assets. For examples, unlock laptop when it is not used leading to the access and
theft of data in such laptop by others.
- Impact: Communication Security must include 03 CIA properties, if the risk causes the
loss of one of three above properties, Communication Security shall be named.
- Risk: As potential that a threat exploits vulnerability of an asset or assets leading to the
damages to organization.
Slide 22

Analysis of risk

Threat?
Vulnerability?
Impact ?

22

Require people to analyze together the fun illustration in slide. Asset therein as a
cheese, and a rat as threat and hole of door as vulnerability
Slide 23

Analysis of risk(1)
Threat Vuls (Weaknesses)

 Natural Hazards Be able to relate to:

 Unexpected  Location of factory,

problems office

 Intentional incidents  Management

 Capacity
 Monitoring

23

Require people to analyze together the fun illustration in slide. Asset therein as a
cheese, and a rat as threat and hole of door as vulnerability

Let’s learn further about threats and vulnerability.

Threat:
- Natural Hazards: Volcanoes, earthquakes ...
- The unexpected problem: Power outages, broken computer ...
- Intentional incidents: Hack computer, steal equipment …
Vuls:
- Location of factory: Located in low-lying, and be flooded regularly.
- Management: Systems loose, it fails to give clear requirements to employees…
- Capacity: The capacity is inconsistent with the position …
- Monitoring: Although there has the requirements, they are not monitored to consider
whether they are inconsistent with requirements.
Slide 24

Risk management(2)

24

There 04 methods of risk management.

Trasnfer: Transfer the risk to third party. For examples, one buys health insurance, when
having health problems, warrantor shall take responsibilities mainly.
Avoid: Avoid the risk. This case can only apply to assets that are high value, if the risk
occurs, business operations of organization shall be affected seriously because this
method needs invest human recourses, materials largely to prevent such risk. For
examples, there is 01 important code section, to avoid the risk, 01 separate computer
must be arranged to store such code, putting this computer in a separate room and
protect all long day.
Reduce: Reduce the risk: Apply many appropriate control methods to reduce the risk
that organization can accept. For examples, to protect the data in computer,
organization request staff to code such data, backup the data regularly, lock the
computer when leaving => Although the risk can still occur, the possibility is much lower
than when not apply any control measures, so organization know that risks has been
reduced to acceptable degree.
Accept: Acceptance of the risk. Apply when finding out the risk that is able to occur, but
organization has not had enough capacity to control this risk at this time, so this risk is
considered to be acceptable by organization and shall be reviewed in Periodical Risk
Assessment.
However, nothing is absolutely safe, application of any method also is toward the
acceptance of risk, so organization must plan to consider and assess the risk
periodically.
Slide 25

Risk management(3)
Asset Threat Vul Impact Control

C
Documents disclose

C, I, A
Databases Malware

A
Website DDos
25

The following is some illustrations of the risk management

For asset as materials, one of threats that occurs to materials is theft, in which
vulnerability therein includes the messy arrangement of materials on the table,
impacting confidential feature of assets and control measure as storage of materials into
table drawer when not sit at the table.
For asset as data, risk as virus and vulnerability as antivirus software have not been set-
up, C, I, A properties are impacted and control measure that shown is setting up
antivirus software.
For asset as website, one of threats that can occurs to website is refused service,
vulnerability in this case as firewall have not been set-up, this shall impact A property of
the system. A strong firewall system should be setup.
Slide 26

Notes

26

So, to ensure communication security during daily working, there are some the following
notes, let’s see and perform.