Professional Documents
Culture Documents
Topic 8 - IsO 27001
Topic 8 - IsO 27001
Topic 8 - IsO 27001
Hello everyone!
Within Bkis Certified Security Essential (BCSE) training, there is one part relating to
Information Security in accordance with ISO 27001 standard. When dealing with ISO,
most people think immediately about ISO 9001 containing the quality management
standards. However, in fact, there are many standards regarding various areas such as
ISO 14000 containing environment standards, ISO 2200 containing foods safety… and
nowadays, for network security, we know further 01 standard as ISO 27001.
Slide 2
Total:
14 CONTROL ARTICLES
35 CONTROL TARGETS
114 CONTROL MEASURES
To settle above question, we should apply ISO 27001 standard because this standard
provide us with 14 control articles, 35 control targets and 114 control measures.
Slide 6
First of all, we shall become familiar with some terms that we shall use later:
1 - Requirements: legibility, specific criteria, thereby people are able to do.
For examples: Everyone is not allow going to work late, How is late
calculated?…Requirement should be shown clearly that going to work late means after
8 am.
2 - Conformity and Nonconformity: There has no Right/Wrong view here, only
Conformity and Nonconformity with requirement shown.
For example: Staff A says: Password should contain 50 letters to ensure security, staff B
says: Password contains 9 letters, but it must contain special letter, it just ensure
security because he knows that 50 letters are too long, and inconvenient upon working.
So, here, we shall not determine who is right, who is wrong, we shall base on proposed
requirements, thereby determining who is conformable and who is nonconformable. For
examples, Organization showed requirement that password must contain 8 letters,
including capital letter and special letter => password is conformable if it is performed
under such requirement, and it is nonconformable if it does not meet the certain criteria.
According to above 02 examples, both two people are nonconformable with the
requirement.
Slide 9
What is ISO?
International Organization for
Standardization
Established in1947, head office in
Geneve, Switzerland
Currently, SO has 164 members ,
in which 111 full members, 49
news members và 4 registered
members
VN is official member of ISO from
1977
Firstly, we shall learn about ISO organization which is responsible for developing and
issuing standard series.
Slide 10
ISO 27001 standard belongs to ISO 27000 standard series, these series include
standards as follows:
27000: definitions and vocabulary. In which, provide definition of terms using regularly in
other standards of this standard series. In previous slide, we have become familiar with
terms of Requirement, Conformity and Nonconformity, these terms are also defined
clearly in 27000 standard.
27001: Requirements: This standard series give requirements that need to be complied
with by organization before implementing ISO system. This is foundation to assess
whether such organization is conformable with shown standard or not for purpose of
getting certificate or not.
27002: Rules of communication security management practice.
27003: Instruction of ISMS system setting in accordance with PDCA model.
27004: System measurement. Purpose of system measurement: when developing
system, we shall have may targets measure to see whether these targets are
achieved or not.
27005: Risk management. Standards delve into assessment manner and risk control.
27006: Assessment and certificate. These standards apply for the units containing the
functions of assessment and confirmation to other organizations. These units can only
be permitted granting certificate when they have obtained ISO 27006 themselves.
The most significant standard of these standard series is ISO 27001 because these
standard series provide the requirements that organizations must meet it if wanting to
apply the system. Other standards can only act of supporting for the process of
implementation and development in accordance with ISO 27001.
Slide 11
Issued in 2013
11
History of development
12
Former standard series of this standard series was BS 7799 of England Institute of
Standardization. In this time, standard series only applied to organizations in connection
with software in UK. However, organization has improved this BS 7799 standard series
when receiving it in order to apply many more lines of business, as well as applying
widely many countries over the world.
Recently, ISO has improved this standard series and reissued on October 2013. Now, a
certificate obtained by most organizations is ISO 27001:2005, these certificates are still
valid, however, organization should have conformable indirection to transfer such
certificates into ISO 27001:2013, and duration of these transfer is the end of 2015.
Slide 13
13
We shall learn ISO 27001 standard series - Information Security Management System
Contents of this section include:
What is Information Security Management System?
Model of Information Security Management System
Process of System development
Slide 14
Information
Information is an important
“asset”!!!
14
Thus, Information can exist in many forms: tangible, invisible However, although
information exits in any forms, or storages and shares by any means, it always needs to
be protected appropriately. According to ISO/IEC 27002: 2005 definition, information is
asset and like any other business assets, it is worth for organization, so it must be
protected.
To protect information, we must aware the processes relating to such information.
Slide 15
Transmitted Used
Unexpected problems
Lost
Corrupted
Destroyed
…
15
C.I.A Triad
16
When above incidents occur and affect directly information, one should not disregard
C- Confidential: Information is not disclosed to individuals and entities outside list having
right to access information.
I – Integrity: Protect the accuracy and completeness of information
A – Readiness: Information can be accessed and used as required from entities having
right to access information
17
18
19
20
Analysis of risk
Threat?
Vulnerability?
Impact ?
22
Require people to analyze together the fun illustration in slide. Asset therein as a
cheese, and a rat as threat and hole of door as vulnerability
Slide 23
Analysis of risk(1)
Threat Vuls (Weaknesses)
23
Require people to analyze together the fun illustration in slide. Asset therein as a
cheese, and a rat as threat and hole of door as vulnerability
Risk management(2)
24
Risk management(3)
Asset Threat Vul Impact Control
C
Documents disclose
C, I, A
Databases Malware
A
Website DDos
25
Notes
26
So, to ensure communication security during daily working, there are some the following
notes, let’s see and perform.