Professional Documents
Culture Documents
Nic Isms
Nic Isms
ISMS Concepts
What is Information ?
Information is an asset that, like other important business assets, is essential to an
organizations business and consequently needs to be suitably protected. (ISO/ IEC
27002)
Stored
Processed
Transmitted
Destroyed ?
Copied
Corrupted!
Theft , Sabotage,
Misuse, Hacking
Version Control
Problems
Secur
ity
Polici
es
VSAT
Leased
Dial In
Unrestricted Access
INET
Systems / Network
Failure
Virus
Lack of documentation
Fire
Natural calamities
What is needed?
Management concerns
Market reputation
Security
Measures/Controls
Business continuity
Technical
Disaster recovery
Procedural
Business loss
Physical
Logical
Loss of customer
confidence
Personnel
Management
Legal liability
Cost of security
Examples ?
Information Security
Information Security is about protecting Information
through selection of appropriate Security Controls
protects information from a range of threats
ensures business continuity
S
S
E
N
I
S
maximizes return
on
U
B
A
S
I
investments and
business
E
U
S
IS
opportunities
minimizes financial loss
Information
Systems
S
S
P
Objectives of Information
Security
Preservation of
Confidentiality :
Ensuring that information is available to only those
authorised to have access.
Integrity
Availability
Why ISMS ?
Information security that can be achieved through technical
means is limited
Security also depends on people, policies, processes and
procedures
Resources are not unlimited
It is not a once off exercise, but an ongoing activity
Establish
Implement
Operate
Monitor
Review
Maintain &
Improve
Information security
ISMS is a management assurance mechanism for security of
information asset concerning its
availability
integrity and
Confidentiality
ISMS Auditor / Lead Auditor Training Course Version 4.4
Information
Security
Management
System
Security Requirements
Risk Assessment
Threats &
Vulnerabilities
Assessment
Assets
identification
& valuation
Policy,
Procedures
& Controls
10
Threat
Detection
Repression
Correction
Evaluation
Incident
Damage
Recovery
11
ISMS Standards
ISO/ IEC 27001 : 2005
A specification (specifies requirements for implementing,
operating, monitoring, reviewing, maintaining & improving a
documented ISMS)
Specifies the requirements of implementing of Security
control, customised to the needs of individual organisation
or part thereof.
Used as a basis for certification
12
Requirements
ISO 27007:2010?
Code of Practice
Audit Guidelines
ISO 27003:2010
ISO 27005:2008
Implementation Guidance
Risk Management
ISO 27004:2009
Measurements
ISO 27011:2009
Telecommunications Organizations
ISO 27799:2008
Health Organizations
ISMS Auditor / Lead Auditor Training Course Version 4.4
13
ISO/IEC 17021
Conformity assessment Requirements for bodies providing audit and
certification of management systems
ISO/IEC 19011:2002
Guidelines for management system auditing
14
Act
Do
Interested
Parties
Development,
Implement &
Maintain &
Maintenance and
Operate ISMS Improvement Cycle Improve ISMS
Information
Security
Requirements
& Expectations
Monitor &
Review ISMS
Check
Interested
Parties
Managed
Information
Security
15
IEEE/EIA 12207.0-1996
1.
2.
3.
IEEE/EIA Standard
Industry Implementation of
International Standard
ISO/IEC 12207 : 1995
(ISO/IEC 12207) Standard for Information
TechnologySoftware life cycle processes
March 1998
Scope
Normative References
Terms & Definitions
4. Information Security Management System
4.1 General
4.2 Establish and manage ISMS
4.3 Documentation
4.3.3 Control of Records
5. Management Responsibility
IS
O
27
00
1:
ISMS
8. ISMS Improvement
8.1 Continual Improvement
8.2 Corrective Actions
8.3 Preventive Actions
Annexure A,B & C
16
5. Management Responsibility
6. Internal ISMS Audits
18
39 Control
Objectives
Satisfies
Objectives
Specifies
Requirements
133 Controls
11 Domains
20
Structure of Annexure-A
A.5 Security Policy
A.6 Organization of Information Security
A.7 Asset Management
A.8 Human
Resources
Security
A.10 Communications
security
& operations
management
maintenance
21
22
Session 05
Technical Compliance
Internal ISMS Audits
Management Review
24
25
ISMS Documentation
Why Documentation?
What needs to be documented ?
What are the mandatory Procedures required by ISO
27001 ?
26
Procedures
Operational Documents
Records
27
Extent of Documentation
Size & Type of organization
Complexity & interaction of processes
Details in Documentation
Complexity of Infrastructure
Competence of Personnel
28
Session 11
Certification Process
Application
Application Fee
Supporting Documents
Cursory Evaluation
Adequacy Assessment
Stage 1 Audit
Stage 2 Audit
Certification
Maintenance of Certification
Other Aspects
Renewal
Modification to Scope of Certification
Suspension/Withdrawal/Cancellation
Appeals & Complaints
ISMS Auditor / Lead Auditor Training Course Version 4.4
30
31
32
Maintenance of Certification
Surveillance Audits
The purpose of surveillance is
o to verify that the approved ISMS continues to be implemented,
o to consider the implications of changes to that system initiated as a
result of changes in the client organizations operation and
o to confirm continued compliance with certification requirements.
33
34
Benefits of ISO27001
Certification
An internationally recognized structured
methodology
A single reference point for identifying a range
of controls needed for most situations where
information systems are used
A defined process to evaluate, implement,
maintain and manage information security
The standard provides a yardstick against which security can
be judged
35