Information Security Management System

Information is an asset which,

like other important business assets,
has value to an organization and
consequently needs to be suitably protected.

Confidentiality ISO/IEC 17799:2005

Information

Integrity Availability
Information Security Management is a
top-down, business driven
approach to the management of an
organization’s physical and
electronic information assets
in order to preserve their
• confidentiality,
• integrity and
• availability.
Increased dependence on information assets

Increased demand for information availability

Increased threats to information security

Consequences of Security Breach
 Destroy Image
 Depress the value of the business
 Erode the “bottom line”; and
 Compromise future earnings.
What is ISMS
An ISMS is the means by which
management monitors and controls the security,
minimizing the residual business risk and
ensuring that security continues to fulfill
corporate, customer and legal requirements.
 ISO 17799 & ISO 27001
ISO 17799:2005
Information Technology Security
techniques –
Code of practice for information
security management
Provides a framework
for a risk based security
management system
that can be
independently certified
Provides a comprehensive
framework to guide and
focus your efforts in
building an Information
Security Management
System (ISMS)
ISO 27001:2005
Information technology Security
techniques –
Information security
Management systems –
Requirements
ISO 17799
 An Internationally recognized Code of
Practice for information security
management systems (ISMS)
 A comprehensive framework to guide and
focus your efforts in building an Information
Security Management System
 A collection of security best practices along
with implementation guidance
ISO 27001 : 2005
 An internationally recognized requirement
document for information security
management systems
 A framework for building a risk based security
management system that can be
independently certified
 Security Policy
Compliance

Organization of
Information Security
Business Continuity
Management

Asset Management

Information Critical
Security Incident Information
Management Assets
Risk Risk
Assessment Treatment Human Resources
Security

Information Systems Physical & Environmental

Acquisition, Development Security
& Maintenance
11 Clauses
Access Control Communications &
Operations 39 Control Objectives
Management
133 Security Control
 An Outline of ISO / IEC 17799/27001 Security Clauses
The 11 Security Clauses
 Security Policy (1) Organizational Structure
 Organization of Information Security (2) Management
 Asset Management (2) Security Policy
 Human Resources Security (3)
Organization of
 Physical & Environmental Security (2)
Information Security
 Communications & Operations Management
(10) Asset Business Continuity
 Access Control (7) Management Management

 Information System Acquisition, Development & Compliance Communications &

Maintenance (6) Operations Management
 Information Security Incident Management (2)
Human Resources Information Security Incident
 Business Continuity Management (1) Security Management
 Compliance (3)
Information System Acquisition,
Legend : Development & Maintenance

Management Aspects Operations Access Control Physical &

Environmental Security
Technical Aspects

Physical Aspects
 Pre-Certification Preparation Methodology

(4) Information Asset Register

(1) Define (6) Certification
Scope Readiness
(4) Risk Assessment

(2) Perform Gap

Analysis (4) Risk Treatment Plans
(6) Continues
(4) Selection of Controls Improvement
(3) Security
Improvement (6) Internal Audit,
Plan (SIP) (4) Initial SoA Management Review

On-Going Security Program Improvement

(5) Policies, Procedures,

(5) Final SoA
Controls & ISMS
Documentation
 Steps Towards Certification

Apply for
Certification

Maintain & Establish the

Improve the ISMS
ISMS
Act Plan

Check Do
Monitor & Implement &
Review the Operate the
ISMS ISMS
 ISMS Implementation Requires Advisory Services,
Project Leadership & Staff Augmentation

Established the ISMS Implement & Operate Monitor & Review Maintain & Improve

Plan (4.2.1) Do (4.2.2) Check (4.2.3) Act (4.2.4)

 Initial Training  Risk Treatment  Execute Monitoring  Implement

Plans & Review Identified
 ISMS Scope
Procedures Improvements
 Implement Risk
 ISMS Policy  Review ISMS  Take Corrective &
Treatment
 ISMS Assets Effectiveness Preventive Actions
 Define
 Gap Analysis/ SIP Effectiveness  Measure the  Communicate the
Metrics Effectiveness of Actions &
 Business Impact the Controls Improvements
 Document WI’s,
 Threats & Procedures  Review Risk  Ensure
Vulnerabilities Assessments Improvements
 Implement
 Probability of Achieve Objectives
Training &  Conduct Internal
Occurrence Awareness ISMS Audits
 Calculate/Evaluate Program
 Regular Mgmt.
Risks  Conduct Internal reviews of the
 Prioritize Risks Auditor Training ISMS
 Treatment Options  Operate the ISMS  Update SIP’s based
on Findings
 Select Controls  Monitoring &
Incident Response  Record Actions &
 Management Apvl. Events Impacting
 Update SoA
 Prepare Initial SoA ISMS
Steps Towards Certification

Establish Project Team

ISMS Scope Definition

Identification of Assets

Risk Assessment

Risk Treatment Plan

Documentation
Management

Training & Awareness

Internal Audit Ongoing

Improvement
 Steps Towards Certification

Establish Project Team

ISMS Scope Definition

 Ensure management commitment
Identification of Assets
 Select and train team members
 Establish Management Committee
Risk Assessment
 Establish Implementation Committee
 Establish Working Groups
Risk Treatment Plan  Team Definition
Documentation
Management

Training & Awareness

Internal Audit Ongoing

Improvement
 Steps Towards Certification

Establish Project Team

• Careful consideration to the processes, applications
ISMS Scope Definition & locations to be included
Identification of Assets • scope should recognize business objectives, security
requirements and structure of the organization
Risk Assessment • The scope must clearly define the boundaries of the
ISMS including justification for exclusions

Risk Treatment Plan

Documentation
Management

Training & Awareness

Internal Audit Ongoing

Improvement
 Steps Towards Certification

Establish Project Team

Identify all assets important to the scope including:
ISMS Scope Definition
• Physical Assets- IT
Identification of Assets
• Physical Assets- Non IT

Risk Assessment • Information (Hard Copy and Electronic)

• Software
• Services
Risk Treatment Plan
• Supporting documentation
Documentation • Intangible
Management

Training & Awareness

Internal Audit Ongoing

Improvement
 Steps Towards Certification

Establish Project Team

• Valuation of assets - Impact to the Business in terms
ISMS Scope Definition of Confidentiality, Integrity & Availability
Identification of Assets • Threat & Vulnerability Assessment
• Probability of Occurrence
Risk Assessment
• Effectiveness and Strength of Current Safeguards
• Residual Risk
Risk Treatment Plan • Determination of Risk Tolerance

Documentation
Management

Training & Awareness

Internal Audit Ongoing

Improvement
 Steps Towards Certification

Establish Project Team

• Risk Management decisions –
ISMS Scope Definition • Terminate
Identification of Assets • Treat
• Transfer or
• Tolerate
Risk Assessment
• Selection of controls from ISO 27001:2005 with
direct link back to the risk assessment

Risk Treatment Plan

• Measurement of the effectiveness of controls
• Manage risk treatment activities and resources
Documentation
Management
• Management approval of residual risk

Training & Awareness

Internal Audit Ongoing

Improvement
 Steps Towards Certification

Establish Project Team

• Information classification & document and records
ISMS Scope Definition control procedures
Identification of Assets • Internal ISMS audit plan
• Corrective & preventive action procedures
Risk Assessment
• Procedures and controls supporting the ISMS based
on the risk assessment results

Risk Treatment Plan

• Description of the risk assessment methodology &
risk treatment plan
Documentation • Development of the Statement of Applicability,
Management (SoA), with justification for controls not selected
Training & Awareness • Objective evidence of a living & improving ISMS

Internal Audit Ongoing

Improvement
 Steps Towards Certification

Establish Project Team

• Roles & responsibilities fully understood
ISMS Scope Definition
• Staff, contractors and third party users trained
Identification of Assets
• Competency assessed

Risk Assessment • Training program formulation

• Role based training
• Metrics and measurements
Risk Treatment Plan

Documentation
Management

Training & Awareness

Internal Audit Ongoing

Improvement
 Steps Towards Certification

Establish Project Team

• Implementation of the Plan Do Check Act model for
ISMS Scope Definition continuous improvement
Identification of Assets • Independent internal evaluation of compliance to
security Policy’s and Procedures
Risk Assessment • Risk based corrective actions
• Defined preventive action requirements

Risk Treatment Plan

• Feedback into the Risk Management Framework
• Records of continuous improvement
Documentation
Management

Training & Awareness

Internal Audit Ongoing

Improvement
 The Certification Audit

Application for • Agree on scope and contract terms

Certification with a
Certification Body

Stage 1 Audit • Assessment of Process Documentation

Documentation Review
• On-site Completion of Audit of Staff &
Process
Stage 2 Audit • Presentation of the Audit Findings
System in Action
• Corrective Actions if Required
• Award of Certificate

• Certification is valid for three years

Post Certification • Annual Surveillance Audits are

Process required
• Internal Audit Program is Required
• Full re-audit on the third Anniversary
Thank You