Professional Documents
Culture Documents
ISO-IEC 27001 - 2013 Introduction & Overview - Handout
ISO-IEC 27001 - 2013 Introduction & Overview - Handout
ISO-IEC 27001 - 2013 Introduction & Overview - Handout
i Management System Auditor & Consultant i BSc Engg. in EEE from BUET
i Lead Auditor for ISO 9001 International Standard i 30+ years of professional experience in ICT & related activities
i Qualified Lead Auditor for ISO/IEC 27001, ISO/IEC ¾ Hardware
20000-1, ISO 14001, and ISO 45001 Standards ¾ Software
i 12+ years of Management System Audit Experience: ¾ Networking
¾ 70+ Audits ¾ ICT Security
¾ 250+ Man-days of Audit i Industries: ICT Vendors, Software Houses, Donors, Projects
i Bangladesh Accreditation Board (BAB) Assessor for i Countries: Bangladesh, India, Jamaica, Pakistan,
ISO/IEC 17021, 27006 and 17065 Standards Philippines, Singapore, Malaysia, UAE, KSA, UK, USA
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 9 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 10
Information Security Management System (ISMS) Information Security Management System (ISMS)
What is Information? What is Security?
i Information is an asset i “The quality or state of being secure--to be free from danger”
which, like other i To be protected from adversaries
important business i A successful organization should have multiple layers of
security in place:
assets, has value to an
¾ Physical security
organization and ¾ Personal security
consequently needs to ¾ Operations security
be suitably Protected ¾ Communications security
¾ Network security
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 11 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 12
Information Security Management System (ISMS) Information Security Management System (ISMS)
What is Information Security? What is Management System?
i Information Security is preservation of confidentiality, integrity i Set of interrelated or interacting elements of an organization
and availability of information [ISO/IEC 27000:2018, 3.28] to establish policies & objectives, and processes to achieve
those objectives [ISO/IEC 27000:2018, 3.41]
¾ Confidentiality: property that information is not made
available or disclosed to unauthorized individuals, entities, To be efficient and effective, the organization can manage its way of
or processes [ISO/IEC 27000:2018, 3.10] doing things by systemizing its activities to ensure:
¾ Integrity: property of accuracy and completeness [3.36] – Nothing is left out
¾ Availability: property of being accessible and usable on – Everyone is clear about who is responsible for doing what, when,
how, why and where
demand by an authorized entity [ISO/IEC 27000:2018, 3.7]
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 13 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 14
Information Security Management System (ISMS) Information Security Management System (ISMS)
What is Information Security Management System? Why Information Security needed?
i ISMS is a systematic approach for establishing, implementing, i Information security performs four important functions
operating, monitoring, reviewing, maintaining and improving for an organization:
an organization’s information security to achieve business ¾ Protects the organization’s ability to function
objectives. [ISO/IEC 27000:2018, 4.2.1]
¾ Enables the safe operation of applications implemented on
i Information Security Management System is a Management the organization’s IT systems
system designed to protect the information assets of the
¾ Protects data that organization collects and uses
organization to the level of required security through the
¾ Safeguards the technology assets in use at the organization
establishment and maintenance of a set of policies,
procedures, controls and practices.
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 15 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 16
Why ISMS? ISMS Principles
i Credibility, trust and confidence of customer
i Greater awareness of security
i Legal Compliance
i Prevention of confidentiality breaches
i Prevention of unauthorized alteration of critical information
i Prompt detection of security incidents and fast reaction
i Competitive advantage in contract negotiations
i Image of Meeting international benchmarks of security
i Reduced Cost, Increased Profitability
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 17 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 18
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 19 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 20
Emphasis on Process Approach Improvement
i A system consists of interrelated i All successful organizations have an
processes. Identifying, understanding ongoing focus on improvement to
and managing interrelated processes improved process performance,
contributes to the organization's organizational capability and customer
effectiveness and efficiency in achieving satisfaction
its objectives i A business can not sustain in the long
i Consistent and predictable results are run without improvement
achieved more effectively and efficiently i Improvement is achieved through Plan-
when activities are understood and Do-Check-Act (PDCA) Cycle
managed as interrelated processes that Continuous vs. Continual Improvement
function as a coherent system
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 21 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 22
International
Organization for
Standardization
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 29 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 30
Ten Clauses in the ISO 27001:2013 Representing of ISO 27001 in PDCA Cycle
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 31 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 32
Representing of ISO 27001 in PDCA Cycle Advantages of Certification
i Independent check of conformity
i Indicates an effective Information Security Management
System
i National/International recognition
i Provides competitive advantage
i Improves company image
i Improves Confidence of Customers and other Interested
Parties like banks and regulatory bodies
i Compliance with customer requiring certification
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 33 ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 34
ISMS (ISO/IEC 27001:2013) Lead Auditors’ Training: Introduction & Overview Slide 35
Thank You for your Patience