ISO/IEC 27001:2013

Information security
management system.
General objectives
 To brief members to the concept of information
security, information security management system.

 Members to understand requirements of ISO/IEC

27001:2013 standard and how to implement it in
our organization.
Session objectives
 To enhance understanding information and
information security.

 To enhance understanding of the different kind

of information and information media.

 To enhance understanding information life cycle

in relation to ISMS.
What is ISMS
Information security management system(ISMS).
It is a part of the overall management system,
based on risk approach , to
establish ,implement ,maintain and continually
improve information security.
Why do we need ISMS ?
 It is a requirement for ISO/IEC27001:2013
stand certification.
 To make us understand requirements of

ISO/IEC27001:2013 stand and how to

implement them in our organization.
 To make us be able to develop the

ISO/27001:2013 Risk assessment process.

Information
 Information: is an asset existing in many forms
and has value to an organization thus it requires
proper protection.

 Asset: Is anything that has value to an

organization
Information Security
What is information security?
It is the preservation of Confidentiality,
Integrity and Availability (C.I.A) of information.

These three information aspects (C.I.A) MUST be

preserved through out the information cycle .
C.I.A
 C-confidentiality.
Its when information is not made available or
disclosed to unauthorized persons or processes
I-integrity;
Is the property of protecting the accuracy and
completeness of information assets.
A-availability;
Is the property of information being accessible and
usable upon demand by authorized person.
Types of information
 Internal;
Information that must be protected due to
ownership ,ethical or privacy consideration.
Confidential;
Information that is exempted from disclosure.
Shared/Public;
Information regarded as publicly available.
Information cycle
Delete Create

Archive Store

Modify Distribute
Cont.

Information MUST maintain C.I.A throughout its

life cycle for it to remain protected/secured and
retain authenticity. Information may need
protection from creation to deletion or disposal.
Information can suffer
 Loss, theft.
 Unauthorized disclosure.
 Accidental disclosure.
 Unauthorized modification.
 Unavailability.
 Lack of integrity.
Common most information security
mistakes made by individuals .
 Over trusting people.
 Living doors open.
 Scribbling a lot on papers.
 Carry office work home.
 Talking loud on phone.
 Sharing of offices.
 Not having clear desk policy.
 Grapevine information.
 Printing information unnecessarily.
Cont…..
 Unattended unsecured computers.
 Updating too much on social media.
 Using office computer for personal work or

vise versa.
Examples of information
 Names,addresses,phone,numbers
 Bank accounts numbers,credit cards details
 Personal details (health ,etc).
 Designs ,patents ,technical research
 Passwords
 Plans
 Intelligence (on criminal activities ,hostile nation

etc)
 Bids of contract, market research competitive

analysis
 Security information (Facilities plans etc)
Types of information media
 Mails/e-mails
 Database
 People conversations
 Websites/blogs/social networking sites
 Memory sticks and Flash disks.
 Papers (printed,handwritten etc)
 Context of the organization
Context of organisation
 Understanding the organization and its
context.
 The internal, external issues and interested

parties that affect and are affected by the

organization.
Internal issues

• Organizational structure
• Strategic objectives
• Internal stake holders
• Contractual relationship
• Policies and governance
• Organizational culture
 External issues
• Social culture
• Legal
• Technological
• Political
• Economical
• Competition
 Interested parties
• Stake holders
• Consumer
• Suppliers
• Competitors
• Intermediaries

The organization shall determine interested parties that

are relevant to the information security management
system and the requirements of these interested
parties relevant to the information security.
The scope
 It is a document which clearly state an
organization range (boundaries),mandate and
infrastructure (Assets) in place to support
delivery of its mandate.

 Note: The scope shall be available as a documented information which must clearly show the
processes, boundary and assets .
Defining the ISMS scope
The organization shall determine the
boundaries and applicability of the
information security management system to
establish its scope.
 When defining the scope we need to consider.
◦ The internal and external issues
◦ Needs and expectations of interested parties.
◦ Interfaces and dependencies between activities performed by the
organization and those that are performed by other organizations.
Example
To provide quality tertiary education through
teaching and research at main and town
campuses in Bangi.
It also includes consultancy and common
outreach services . Asset of the university are
human capital ,land infrastructure state of the
art equipment and use of enterprise
resources, planning to support the delivery of
its mandate.
 LEADERSHIP
Leadership commitment
Top management shall demonstrate leadership and
commitment with respect to ISMS by ;

• Ensuring resources needed for ISMS are available.

• Communicating the importance of ISMS and of conforming

to the ISMS requirements.

• Ensuring that the ISMS achieves it intended outcome(s).

• Ensuring the integration of ISMS requirements in the

organization’s processes.
Cont…..
• Directing and supporting persons to contribute to the
effectiveness of the ISMS.

• Promoting continual improvement.

• Ensuring information security policy and the information

security objectives are established and are compatible with the

strategic direction of the organization.

• Supporting other relevant management roles to demonstrate

their leadership as it applies to their areas of responsibility.
Information security policy

 It is a high level statement of organization’s

beliefs, goals , objectives and means for their
attainment for a specific subject area.
Characteristics of an information
security policy.
 Brief
 Written at broad level
 Directive
 Catches readers eye
 Be an A4 size document.
 Example of an information security policy

The policy’s goal is to protect UKM organization’s

information assets against all internal external
deliberate and accidental threats.
The VC shall approve the information security policy.
The security policy ensures that:-
• Information will be protected against unauthorized access .
• Confidentiality of information is assured.
• Integrity of information will be maintained.
• Awareness of information will be provided to all personnel on a regular basis.
• Legislative and regulatory requirements will be met.
• The policy will be reviewed by responsible team yearly and incase of any changes.
• All heads of units are directly responsible for implementing the policy at their respective levels

and for the adherence of their staff.

VC SIGNATURE
Risk-based thinking
 Risk-based thinking, describes the tools for
identifying and managing risks.
 It also refers to a coordinated set of activities

and methods that an organization put in

place to manage and control the many risks
that affect organization’s ability to achieve
objectives.
 Risk-based thinking replaces what earlier version of the standard called
preventive action.
Risk assesment assists organizations
in risk management to:-
 Recognize the best and most relevant input
data.
 Understand the benefits of the process.
 Recognize risks and their potential impacts

to the organization in attaining its goals.

 Provide information for decision-makers.
Risk assessment procedure

• Identify asset(Asset inventory).

• Identify asset owner.
• Identify location of the asset.
• Identify the risk.
• Identify the vulnerabilities.
• Evaluate the asset(calculating the risk).
• Make a record of the findings(Risk assessment
matrix).
• React to non conformities (corrective action plan).
Tools
 Documentation Reviews.
 Information Gathering Techniques.
 Brainstorming.
 Interviewing.
 Excel .
 Root Cause Analysis.
 S.w.o.t Analysis (Strength, Weakness, Opportunities

and Threats) .
 P.E.S.T.E.L Analysis ( Political, Economical, Social,

Technological , Environmental and legal)

 Checklist Analysis.
Things to consider when choosing a
(RA) tool.
 Should be :-
I. Able to collect data.
II. Able to analyze data.
III. Repeatable.
IV. Have clear instructions to use and analyze.
V. Able to help in selection of controls
VI. Able to report results in a clear and accurate
manner.
VII. Installed and configured correctly
VIII. Be compatible with organization’s hardware and
software in use.
 What are the critical success factors for ISMS:
To be effective, the ISMS must:

• have the continuous, unshakeable and visible support and

commitment of the organization’s top management;

• be managed centrally, based on a common strategy and

policy across the entire organization;

• be an integral part of the overall management of the

organization related to and reflecting the organization’s
approach to risk management, the control objectives and
controls and the degree of assurance required;

• have security objectives and activities be based on business

objectives and requirements and led by business
management;

• undertake only necessary tasks and avoiding over-control

and waste of valuable resources;