ISO/ IEC 27001:2013

LEAD IMPLEMENTER TRAINING

TRAINER: TRIVESH SHARMA, OYUNTUGS B.

 What is require in ISO-27001:2013 of Clause No.8
 What procedures/instructions to follow?
 What records to keep?

LECTURE 1.
METHODS OF IMPLEMENTING - CLAUSE 8 OF
ISO27001:2013
What ISO27001 requires in
clause 4.1?

• External issues
• Internal issues
 Operation
• This clause is all about the execution of the plans and processes that are the subject of previous
clauses. It deals with the execution of the actions determined and the achievement of the
information security objectives. In recognition of the increased use of outsourced functions in
today’s business world, these processes also need to be identified and controlled. Any changes,
whether planned or unintended need to be considered here and the consequences of these on the
ISMS. It also deals with the performance of information security risk assessments at planned
intervals and the need for documented information to be retained to record the results of these.
Finally, there is a section that deals with the implementation of the risk treatment plan, and
again, the need for the results of these to be retained in documented information. This clause of
the standard defines the requirements necessary to operate an ISMS. They include the following
key elements:
• 8.1 Operational planning and control
• 8.2 Information security risk assessment
• 8.3 Information security risk treatment
Contd. to next page
 OPERATION

Clause 8.1 requires a demonstration of processes controlling critical security-related

activities. Some mechanisms to assist with conformance to this subsection include:
• The use of documented security plans or security calendars;
• Monitoring and controlling changes to the environment;
• Implementing controls around third-party outsourcing arrangements.
• Clause 8.2 requires the risk assessment to be performed when significant changes
occur or are proposed. In addition. this clause requires the review of the risk
assessments at planned intervals. In a practical sense. this usually is performed
annually and is tracked by activity in the security calendar. Evidence of the output
of such planned risk reviews must be available. Clause 8.3 requires risk treatments
to be implemented and monitored.
 Operational planning and control

• The organization shall plan, implement and control the processes needed to meet information security  requirements, and to
implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives
determined in 6.2. The organization shall keep documented information to the extent necessary to have confidence that  the
processes have been carried out as planned. The organization shall control planned changes and review the consequences of
unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced
processes are determined and controlled.
• To implement effective processes the following practices are crucial:
1 Processes are created by adapting or formalizing an organization’s “business as usual” activities.
2 Systematic identification of the information security risks relevant to each process.
3 Clear definition and communication of the set of activities required to manage the associated information
security risks when an event occurs (e.g. a new employee joining the company).
4 Clear assignment of the responsibilities for carrying out related activities.
5 Adequate allocation of resources to ensure that related activities can take place as and when required.
6 Routine assessment of the consistency with which each process is followed and its effectiveness in
managing relevant information security risks.

For each process, designate an individual as accountable for ensuring that steps 2-6 happen. This individual is often referred to as
the Process Owner.
Contd. to next page..
 Operational planning and control
• Relationship between assets, threats, and vulnerabilities
So, let’s see what this matching of the three components could look like – for example:
• Asset: paper document:
threat: fire;
vulnerability: the document is not stored in a fire-proof cabinet (risk related to the loss of availability of the information)
threat: fire;
vulnerability: there is no backup of the document (potential loss of availability)
threat: unauthorized access;
vulnerability: the document is not locked in a cabinet (potential loss of confidentiality)
• Asset: digital document:
threat: disk failure;
vulnerability: there is no backup of the document (potential loss of availability)
threat: virus;
vulnerability: anti-virus program is not properly updated (potential loss of confidentiality, integrity, and availability)
threat: unauthorized access;
vulnerability: access control scheme is not properly defined (potential loss of confidentiality, integrity, and availability)
threat: unauthorized access;
vulnerability: the access was given to too many people (potential loss of confidentiality, integrity, and availability)
• Asset: system administrator:
threat: unavailability of this person;                                                                       
•  vulnerability: there is no replacement for this position (potential loss of availability)
threat: frequent errors;
vulnerability: lack of training (potential loss of integrity and availability) etc.
 Information security risk assessment

• The organization shall perform information security risk assessments at planned intervals or
when significant changes are proposed or occur, taking account of the criteria established in 6.1.2
a). The organization shall retain documented information on the results of the information
security risk assessments.

• STEPS IN A SAMPLE RISK ASSESSMENT METHOD

1. Identify the critical processes within the scope
2. Identify the information assets required
3. Consider threats (agencies that could cause loss) against the asset
4. Identify vulnerabilities (weaknesses exploited by threat)
5. Assess consequences to the agency if the threat occurs
6. Assess the realistic likelihood of risk eventuating
7. Determine risk rating
8. Compare against acceptance criteria
9. Determine treatment options if required
10. Monitor treatment implementation
11. Repeat from step 1
 MEASURES OF LIKELIHOOD

Tables similar to the one below are often seen within risk models. One
consideration should be if the timeframes within these types of tables are
appropriate for assessing information security risks. One challenge related to
the use of a single likelihood table for all types of risk has been the relevance
to information security events.
 Measures of Consequence
• It is more common to use a single consequence table across the organization.
For this to be practical, the consequence (or impact) domains must represent all
possible areas of impact across the risk portfolio. The more detailed the
information in the consequence table, the more likely it that a comparable
value will be selected during risk assessments. There may be consequences in a
number of impact areas. The risk assessor should select the highest impact
value.
 Information security risk treatment

• Once the risk assessment has been concluded and the risk is rated, the rating is compared to the
agreed risk acceptance criteria. If the risk rating is greater than the acceptable level of risk
treatment options need to be considered.
There are four alternatives for risk treatment. These are:
1. Mitigating the risk by applying additional appropriate controls;
2. Knowingly and objectively accepting the risk, providing this clearly satisfies the
organization’s risk management policy in terms of the levels of authorization required to accept
risks above the defined risk acceptance criteria;
3. Avoiding the risk by avoiding or terminating the activity that creates the risk; and,
4. Transferring the associated business risks to other parties, e.g. insurers.
Transference of risk is an effective choice when the impact of this risk is financial in nature. For
instance, insuring against loss from an environmental event such as a flood reduces the financial
impact on the organization. The risk treatment plan you develop cannot simply remain as a
statement of intent; it must be implemented. 
What records to keep?

• Risk Assessment
• Risk Register
Risk Assessment Sheet
Risk Register