ISO-IEC 27001 - 2013 Introduction & Overview - Handout

Lead Auditors’ Training Course for Learning Objectives
Information Security Upon completion of this Training you will:

Management System (ISMS) i Understand the concepts, purpose & principles of ISMS
i Understand the process approach to ISMS
based on i Understand & interpret the purpose, requirements and intent
ISO 27001:2013 of ISMS in line with ISO 27001 Standard and the certification
process
i Understand principles & purpose of audits and role of auditor
Mohammad Seraji
ICE Systems i Able to plan, perform, report & follow up ISMS Lead audit
Phone: 01552566352, 01715370538
Email: mseraji@gmail.com Slide 2
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview
Course Timing Course Rules

i Class will start right in time, so be present in time
i Unmute phone if needed to talk & mute when done
i Day 01: 27 August (Friday) - 10:00 AM to 08:00 PM i Be attentive and participative in class, avoid talking or
i Day 02: 28 August (Saturday) - 10:00 AM to 08:00 PM taking calls.
i Day 03: 03 September (Friday) - 10:00 AM to 08:00 PM i Mute phone if noise in your area or need to take
i Day 04: 04 September (Saturday) - 10:00 AM to 08:00 PM urgent calls or talk to neighbor
i Day 05: 10 September (Friday) - 10:00 AM to 06:00 PM i In case of Power or Internet failure at tutor premises,
the class may be needed to extend at the end.
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 3 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 4
Course Delivery Method About Classroom Performance
Learning (by mistake) method:
i Presentation/Lecture Continuous Evaluation
i Group Discussion Classroom performance: Attentiveness, Presence
i Exercises and Workshops Interaction with Tutor: Question & Answer
i One-on-one discussion with Tutor Exercise
Evaluation method: Presentation Skills
i Classroom Performance: 100 marks
i Written Examination: 100 marks
About Written Examination Introduction of the Delegates

Duration: 150 minutes
i Name
Open book
i ISO/IEC 27001:2013 Standard i Educational background
i Presentation Handouts i Organization
i Personal notes (taken during the course)
i Job Title / Designation
Structure:
i Four sections i Experience: IT & Information Security
i Total : 100 marks (30 + 20 + 20 + 30) i Knowledge of ISO 27001 Standards
i Overall pass mark : min. 70 marks (70 %)
i Minimum 40% of marks for each section i Knowledge of Other ISO Standards
Introduction of the Tutor Introduction of the Tutor (Continued…)
i Management System Auditor & Consultant i BSc Engg. in EEE from BUET
i Lead Auditor for ISO 9001 International Standard i 30+ years of professional experience in ICT & related activities
i Qualified Lead Auditor for ISO/IEC 27001, ISO/IEC ¾ Hardware
20000-1, ISO 14001, and ISO 45001 Standards ¾ Software
i 12+ years of Management System Audit Experience: ¾ Networking
¾ 70+ Audits ¾ ICT Security
¾ 250+ Man-days of Audit i Industries: ICT Vendors, Software Houses, Donors, Projects
i Bangladesh Accreditation Board (BAB) Assessor for i Countries: Bangladesh, India, Jamaica, Pakistan,
ISO/IEC 17021, 27006 and 17065 Standards Philippines, Singapore, Malaysia, UAE, KSA, UK, USA
Information Security Management System (ISMS) Information Security Management System (ISMS)
What is Information? What is Security?
i Information is an asset i “The quality or state of being secure--to be free from danger”
which, like other i To be protected from adversaries
important business i A successful organization should have multiple layers of
security in place:
assets, has value to an
¾ Physical security
organization and ¾ Personal security
consequently needs to ¾ Operations security
be suitably Protected ¾ Communications security
¾ Network security
What is Information Security? What is Management System?
i Information Security is preservation of confidentiality, integrity i Set of interrelated or interacting elements of an organization
and availability of information [ISO/IEC 27000:2018, 3.28] to establish policies & objectives, and processes to achieve
those objectives [ISO/IEC 27000:2018, 3.41]
¾ Confidentiality: property that information is not made
available or disclosed to unauthorized individuals, entities, To be efficient and effective, the organization can manage its way of
or processes [ISO/IEC 27000:2018, 3.10] doing things by systemizing its activities to ensure:
¾ Integrity: property of accuracy and completeness [3.36] – Nothing is left out
¾ Availability: property of being accessible and usable on – Everyone is clear about who is responsible for doing what, when,
how, why and where
demand by an authorized entity [ISO/IEC 27000:2018, 3.7]
What is Information Security Management System? Why Information Security needed?
i ISMS is a systematic approach for establishing, implementing, i Information security performs four important functions
operating, monitoring, reviewing, maintaining and improving for an organization:
an organization’s information security to achieve business ¾ Protects the organization’s ability to function
objectives. [ISO/IEC 27000:2018, 4.2.1]
¾ Enables the safe operation of applications implemented on
i Information Security Management System is a Management the organization’s IT systems
system designed to protect the information assets of the
¾ Protects data that organization collects and uses
organization to the level of required security through the
¾ Safeguards the technology assets in use at the organization
establishment and maintenance of a set of policies,
procedures, controls and practices.
Why ISMS? ISMS Principles
i Credibility, trust and confidence of customer
i Greater awareness of security
i Legal Compliance
i Prevention of confidentiality breaches
i Prevention of unauthorized alteration of critical information
i Prompt detection of security incidents and fast reaction
i Competitive advantage in contract negotiations
i Image of Meeting international benchmarks of security
i Reduced Cost, Increased Profitability
ISMS Principles Emphasis on Process Approach

1. Awareness of the need for information security i A Process is a set of interrelated or
2. Assignment of responsibility for information security interacting activities which transforms
3. Incorporating management commitment and interests of stakeholders CONTROLS inputs into outputs [ISO 27000:2018, 3.54]
4. Enhancing societal values i A desired result is achieved more
5. Risk assessments determining appropriate controls to reach PROCESS efficiently when activities and related
set of interrelated or
acceptable levels of risk INPUT interacting activities OUTPUT PRODUCT resources are managed as a process
which transforms
6. Security incorporated as essential element of info. networks & systems inputs into outputs
i Measure process performance and
7. Active prevention and detection of information security incidents effectiveness
8. Ensuring a comprehensive approach to Info. Sec. management RESOURCES i Continual improvement of processes
9. Continual reassessment of information security and making of
based on measurement
modifications as appropriate
Emphasis on Process Approach Improvement
i A system consists of interrelated i All successful organizations have an
processes. Identifying, understanding ongoing focus on improvement to
and managing interrelated processes improved process performance,
contributes to the organization's organizational capability and customer
effectiveness and efficiency in achieving satisfaction
its objectives i A business can not sustain in the long
i Consistent and predictable results are run without improvement
achieved more effectively and efficiently i Improvement is achieved through Plan-
when activities are understood and Do-Check-Act (PDCA) Cycle
managed as interrelated processes that Continuous vs. Continual Improvement
function as a coherent system
Plan-Do-Check-Act (PDCA) Cycle About ISO
International
Organization for
Standardization
i Independent, non-governmental international organization

established in 1947, based in Geneva, Switzerland
i Has a membership of 165 national standards institutes from
countries in all regions of the world
About ISO About ISO 27001 Standard
i Developed 23,000+ standards for all dimensions of i Sets out requirements for an ISMS.
sustainable development: economic, environmental and i Provides the specification for a best-practice ISMS and
societal like: covers the compliance requirements.
¾ ISO 9001 – Quality Management Systems (QMS) i World’s most popular and most commonly used standard for
¾ ISO 14001 – Environmental Management Systems (EMS) Information Security Management Systems (ISMS)
¾ ISO/IEC 27001 – Info. Security Management Systems (ISMS) i Applicable to any organization irrespective of size, industry
i American National Standards Institute (ANSI) is U.S. or culture
representative to ISO i While it does not mandate specific actions, it, however, does
i Bangladesh Standards & Testing Institute (BSTI) is a include suggestions for documentation, internal audits,
member of ISO since 1974 continual improvement, and corrective and preventive action.
Other standards in the 27000 family ISO/IEC 27000 family of Standard

There are many other standards in the ISO 27000 series that
can help you effectively implement and reap the full benefits of
an ISMS. Following are related standards in this course:
i ISO 27000 – Vocabulary Standard containing terms and definitions
used in ISO 27001 and detailed explanations of quality management
principles with tips on how to ensure these are reflected in your work.
i ISO 27002 - Provides guidance on how to achieve sustained success
with your quality management system.
i ISO 19011 - Gives guidance for performing audits (both internal and
external) on ISO 27001 and other Management System Standards.
Development of ISO 27001 How Does ISO 27001 Work?
i ISO 27001 is a Risk-based Standard. That means, it protects
the Confidentiality, Integrity and Availability of information
assets of an organization through management of Risks by:
¾ finding out what potential problems could happen to the
information i.e. where the risks are (risk assessment)
¾ then defining what needs to be done to prevent such problems
from happening i.e. systematically treat them (risk mitigation or risk
treatment), through the implementation of security controls (or
safeguards)
Ten Clauses in the ISO 27001:2013 Representing of ISO 27001 in PDCA Cycle
Representing of ISO 27001 in PDCA Cycle Advantages of Certification
i Independent check of conformity
i Indicates an effective Information Security Management
System
i National/International recognition
i Provides competitive advantage
i Improves company image
i Improves Confidence of Customers and other Interested
Parties like banks and regulatory bodies
i Compliance with customer requiring certification
ISO 27001 Certification Process Questions?
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 35
Thank You for your Patience
See you in the next session after break

ISO-IEC 27001 - 2013 Introduction & Overview - Handout

Uploaded by

Copyright:

Available Formats

You might also like

ISO-IEC 27001 - 2013 Introduction & Overview - Handout

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO-IEC 27001 - 2013 Introduction & Overview - Handout

Uploaded by

Copyright:

Available Formats

Lead Auditors’ Training Course for Learning Objectives

Information Security Upon completion of this Training you will:

Course Timing Course Rules

About Written Examination Introduction of the Delegates

ISMS Principles Emphasis on Process Approach

Plan-Do-Check-Act (PDCA) Cycle About ISO

i Independent, non-governmental international organization

Other standards in the 27000 family ISO/IEC 27000 family of Standard

ISO 27001 Certification Process Questions?

See you in the next session after break

You might also like