Session 1

ISMS Concepts

Information and Information Security

Information Security Management System
Purpose of ISMS
Process of developing ISMS
Characteristics of good ISMS

What is Information ?
Information is an asset that, like other important business assets, is essential to an
organizations business and consequently needs to be suitably protected. (ISO/ IEC
27002)

Asset: Anything that has value to the organization

Can exist in many forms

data stored on computers

transmitted across networks
printed out
written on a paper sent by fax
stored on disks
held on microfilm
spoken in conversations over the
telephone
..

Information Life Cycle

Information can be :
Created

Stored

Processed

Transmitted

Destroyed ?

Copied

Used (for proper and improper purposes)

Lost!

Corrupted!

Whatever form the information takes, or means by which it is

shared or stored, it should always be appropriately protected
throughout its life cycle
ISMS Auditor / Lead Auditor Training Course Version 4.4

Some Common Security Concerns to

Information Assets
High User
knowledge of IT
sys.

Theft , Sabotage,
Misuse, Hacking

Version Control
Problems

Secur
ity
Polici
es

VSAT
Leased

Dial In

Unrestricted Access

INET

Systems / Network
Failure

Virus

Lack of documentation

Fire
Natural calamities

ISMS Auditor / Lead Auditor Training Course Version 4.4

What is needed?
Management concerns

Market reputation

Security
Measures/Controls

Business continuity

Technical

Disaster recovery

Procedural

Business loss

Physical

Loss of confidential data

Logical

Loss of customer
confidence

Personnel

Management

Legal liability

Cost of security

ISMS Auditor / Lead Auditor Training Course Version 4.4

Examples ?

Information Security
Information Security is about protecting Information
through selection of appropriate Security Controls
protects information from a range of threats
ensures business continuity

S
S
E
N
I
S
maximizes return
on
U
B
A
S
I
investments and
business
E
U
S
IS
opportunities
minimizes financial loss

Information
Systems
S

S
P

ISMS Auditor / Lead Auditor Training Course Version 4.4

Objectives of Information
Security
Preservation of
Confidentiality :
Ensuring that information is available to only those
authorised to have access.

Integrity

Safeguarding the accuracy and completeness of

information & processing methods.

Availability

Ensuring that information and vital services are available

to authorized users when required.

ISMS Auditor / Lead Auditor Training Course Version 4.4

Information Security Model

ISMS Auditor / Lead Auditor Training Course Version 4.4

Why ISMS ?
Information security that can be achieved through technical
means is limited
Security also depends on people, policies, processes and
procedures
Resources are not unlimited
It is not a once off exercise, but an ongoing activity

All these can be addressed effectively and

efficiently only by establishing a proper
Information Security Management System(ISMS)

ISMS Auditor / Lead Auditor Training Course Version 4.4

Information Security Management

System (ISMS)
ISMS is that part of overall management system based on a
business risk approach to

Establish
Implement
Operate
Monitor
Review
Maintain &
Improve

Information security
ISMS is a management assurance mechanism for security of
information asset concerning its
availability
integrity and
Confidentiality
ISMS Auditor / Lead Auditor Training Course Version 4.4

Process for developing an

ISMS
Selection of controls
(ISO/IEC 27001)
Legal Requirements
Business Requirements

Information
Security
Management
System

Security Requirements
Risk Assessment
Threats &
Vulnerabilities
Assessment

Assets
identification
& valuation

ISMS Auditor / Lead Auditor Training Course Version 4.4

Policy,
Procedures
& Controls
10

Characteristics of a good ISMS

Prevention
Reduction

Threat

Detection
Repression
Correction
Evaluation

ISMS Auditor / Lead Auditor Training Course Version 4.4

Incident
Damage
Recovery

11

ISMS Standards
ISO/ IEC 27001 : 2005
A specification (specifies requirements for implementing,
operating, monitoring, reviewing, maintaining & improving a
documented ISMS)
Specifies the requirements of implementing of Security
control, customised to the needs of individual organisation
or part thereof.
Used as a basis for certification

ISO/IEC 27002 : 2005 (Originally ISO/IEC 17799:2005)

A code of practice for Information Security management

Provides best practice guidance
Use as required within your business
Not for certification

Both ISO 27001 and ISO 27002 security control clauses

are fully harmonized
ISMS Auditor / Lead Auditor Training Course Version 4.4

12

ISMS family of Standards: Relationship

ISO 27000 : 2009
Overview and Vocabulary
ISO 27001 : 2005

ISO 27006: 2006

Requirements

Certification body Requirements

ISO 27002 : 2005

ISO 27007:2010?

Code of Practice

Audit Guidelines

ISO 27003:2010

ISO 27005:2008

Implementation Guidance

Risk Management
ISO 27004:2009
Measurements

ISO 27011:2009
Telecommunications Organizations

ISO 27799:2008

Status as on 31st March,2010

Health Organizations
ISMS Auditor / Lead Auditor Training Course Version 4.4

13

Other Related Standards

ISO/ IEC TR 18044:2004
IT Security techniques Information security incident management

ISO/IEC 17021
Conformity assessment Requirements for bodies providing audit and
certification of management systems

ISO/IEC 19011:2002
Guidelines for management system auditing

ISMS Auditor / Lead Auditor Training Course Version 4.4

14

PDCA Model applied to ISMS

Processes
Plan
Establish
ISMS

Act

Do
Interested
Parties

Development,
Implement &
Maintain &
Maintenance and
Operate ISMS Improvement Cycle Improve ISMS

Information
Security
Requirements
& Expectations

ISMS Auditor / Lead Auditor Training Course Version 4.4

Monitor &
Review ISMS

Check

Interested
Parties

Managed
Information
Security

15

ISO 27001 Structure

Reproduced by GLOBAL
ENGINEERING DOCUMENTS
With The Permission of IEEE
Under Royalty Agreement

IEEE/EIA 12207.0-1996

(A Joint Standard Developed by IEEE and EIA)

1.
2.
3.

IEEE/EIA Standard

Industry Implementation of
International Standard
ISO/IEC 12207 : 1995
(ISO/IEC 12207) Standard for Information
TechnologySoftware life cycle processes

March 1998

THE INSTITUTE OF ELECTRICAL

AND ELECTRONICS
ENGINEERS, INC.

ELECTRONIC INDUSTRIES ASSOCIATION

ENGINEERING DEPARTMENT

Scope
Normative References
Terms & Definitions
4. Information Security Management System
4.1 General
4.2 Establish and manage ISMS
4.3 Documentation
4.3.3 Control of Records

5. Management Responsibility

IS
O

27
00
1:

5.1 Management Commitment

5.2 Resource Management
6. Internal ISMS Audits
7. Management Review of the
20
05

ISMS Auditor / Lead Auditor Training Course Version 4.4

ISMS
8. ISMS Improvement
8.1 Continual Improvement
8.2 Corrective Actions
8.3 Preventive Actions
Annexure A,B & C

16

ISMS process framework

requirements
ISO 27001 Clause 4-8

ISMS process framework

requirements
4. Information Security Management System
4.2
4.3

Establishing and managing the ISMS

Documentation requirements

5. Management Responsibility
6. Internal ISMS Audits

Why conduct Internal Audits?

Who conducts Internal Audits?

7. Management Review of the ISMS

8. ISMS Improvements

ISMS Auditor / Lead Auditor Training Course Version 4.4

What is the difference between

Corrective Action and
Preventive action?

18

ISMS control requirements

Annexure A : Control
objectives & controls

ISO 27001: Control Objectives

and Controls

39 Control
Objectives
Satisfies
Objectives

Specifies
Requirements

133 Controls

11 Domains

ISMS Auditor / Lead Auditor Training Course Version 4.4

20

Structure of Annexure-A
A.5 Security Policy
A.6 Organization of Information Security
A.7 Asset Management
A.8 Human
Resources
Security

A.9 Physical &

environmental

A.10 Communications

security

& operations
management

A.12 Info. Systems

Acquisition
development &

A.11 Access control

maintenance

A.13 Information Security Incident Management

A.14 Business Continuity Management
A.15 Compliance
ISMS Auditor / Lead Auditor Training Course Version 4.4

21

ISO 27002 Structure

1 introductory clause on Risk assessment and Treatment.
11 security Control Clauses (fully harmonised with ISO 27001)
39 main Security categories each containing
Control Objective and
One or more control to support achievement of control objective

Control descriptions each containing

Control statement
Implementation Guidance
Other Information

ISMS Auditor / Lead Auditor Training Course Version 4.4

22

Session 05

ISMS Implementation, Documentation,

Maintenance & Improvement
Action plan for ISMS implementation
Activities in establishing, implementing, monitoring
and improving ISMS
Documentation requirements of ISMS

Preparation & Implementation

Management Decision & Continued Commitment
Study ISO 27001:2005
Establish ISMS Framework

Establish Security Organization, Responsibility & Infrastructure

Designate Chief Information Security Officer
Establish Security Forum
Encourage Participation by All

Develop Inventory of Assets

Gap Analysis / Status Appraisal
Establish ISMS
Document
Create Awareness - Provide Training(s) as needed
Implement
Monitor

Technical Compliance
Internal ISMS Audits
Management Review

Update & Continually Improvement

ISMS Auditor / Lead Auditor Training Course Version 4.4

24

Establishing and Managing

ISMS
1.
2.
3.
4.

Establish ISMS (PLAN)

Implement ISMS (DO)
Monitor and review ISMS (CHECK)
Maintain & Improve ISMS (ACT)

The participants in four groups are to identify various activities identified

under PLAN, DO, CHECK and ACT .
Preparation time : 10 min.

ISMS Auditor / Lead Auditor Training Course Version 4.4

25

ISMS Documentation
Why Documentation?
What needs to be documented ?
What are the mandatory Procedures required by ISO
27001 ?

Documents and records can be in any form or type of

medium

ISMS Auditor / Lead Auditor Training Course Version 4.4

26

Typical ISMS Document

Classification
Security Policy Manual

Summary of management framework including the information

security policy and the control objectives and implemented
controls given in the statement of applicability.

Procedures

Procedures adopted to implement the controls required.

Operational Documents

Explains details of specific tasks or activities.

Records

Evidence of activities carried out.

ISMS Auditor / Lead Auditor Training Course Version 4.4

27

Extent of Documentation
Size & Type of organization
Complexity & interaction of processes

Details in Documentation

Complexity of Infrastructure

Competence of Personnel

ISMS Auditor / Lead Auditor Training Course Version 4.4

28

Session 11

Certification Industry & Process

Certification Process
ISMS certification and Legal compliance

Certification Process
Application
Application Fee
Supporting Documents

Cursory Evaluation
Adequacy Assessment
Stage 1 Audit
Stage 2 Audit
Certification
Maintenance of Certification
Other Aspects
Renewal
Modification to Scope of Certification
Suspension/Withdrawal/Cancellation
Appeals & Complaints
ISMS Auditor / Lead Auditor Training Course Version 4.4

30

Basic Requirements for

Certification - 1
Evidence of creation of ISMS through system
requirements:
Information Security Policy
Scope Statement
Risk Assessment
Statement of Applicability
The Management System

ISMS Auditor / Lead Auditor Training Course Version 4.4

31

Basic Requirements for

Certification - 2
Evidence of operation of Management controls:
Management Review
Various forms of system review
Document management
Records Management
Existence of essential controls
Implementation & effectiveness of controls selected
as applicable

ISMS Auditor / Lead Auditor Training Course Version 4.4

32

Maintenance of Certification
Surveillance Audits
The purpose of surveillance is
o to verify that the approved ISMS continues to be implemented,
o to consider the implications of changes to that system initiated as a
result of changes in the client organizations operation and
o to confirm continued compliance with certification requirements.

Surveillance programs should normally cover

o the system maintenance elements which are internal ISMS audit,
management review and preventive and corrective action;
o changes to the documented system;
o areas subject to change;
o selected elements of ISO/IEC 27001;
o other selected areas as appropriate.
ISMS Auditor / Lead Auditor Training Course Version 4.4

33

ISMS Certification V/s Legal

Compliance
ISMS Certification is a voluntary Certification and is not a substitute
for compliance to legal requirements. Compliance with ISO 27001
does not in itself confer immunity from legal obligations.
The maintenance and evaluation of legal and regulatory compliance
is the responsibility of the client organization.
The certification body shall restrict itself to checks and samples in
order to establish confidence that the ISMS functions in this regard.
The certification body shall verify that the client organization has a
management system to achieve legal and regulatory compliance
applicable to the information security risks and impacts.

ISMS Auditor / Lead Auditor Training Course Version 4.4

34

Benefits of ISO27001
Certification
An internationally recognized structured
methodology
A single reference point for identifying a range
of controls needed for most situations where
information systems are used
A defined process to evaluate, implement,
maintain and manage information security
The standard provides a yardstick against which security can
be judged

A set of tailored policy, standards, procedures

and guidelines
Facilitation of Trade in trusted environment
ISMS Auditor / Lead Auditor Training Course Version 4.4

35