© 2013 cambridge technical communicatorsslide 1 iso/iec 27001 standard for information security...
TRANSCRIPT
© 2013 Cambridge Technical Communicators Slide 1
ISO/IEC 27001
Standard for Information Security Management
Systems
© 2013 Cambridge Technical Communicators Slide 2
Information Security Requirements
• ISO 27001 specifications• ISO 27002 code of practise
• Download from BSI website: http://17799.standardsdirect.org
• Information Security Forum (ISF) publish the 2007 Standard of Good Practise (SoGP)
© 2013 Cambridge Technical Communicators Slide 3
Process
• A) Identify information security risks: threats, vulnerabilities and impacts
• B) Design/implement information security controls: risk management - risk avoidance/risk transfer
• C) Maintain security policy/adopt management process
© 2013 Cambridge Technical Communicators Slide 4
ISMS
• Information Security Management System
• Broad set of general and IT-specific policies and controls that span the organisation
• Include IT, HR, management, business continuity, incident management and other business functions/areas:
© 2013 Cambridge Technical Communicators Slide 5
Examples
• Teleworking/home working: access to data
• Training staff: on information security issues and procedures
• Recruitment: security checks,
• Data retention policies: how long, where stored, how backups are made, who can assess
• Staff roles: security permissions, access to sensitive information
• Access to data by third parties and suppliers
© 2013 Cambridge Technical Communicators Slide 6
Certification process
• Stage 1 - informal review of security documentation
• Stage 2 - formal and detailed compliance audit
• Stage 3 - Follow-up reviews and audits
© 2013 Cambridge Technical Communicators Slide 7
Security Documents
• Security policy document
• Statement of Applicability (SoA)
• Risk Treatment Plan (RTP)
• Not all requirements in ISO 27001 are mandatory. You
can also define the scope to be covered by the security
policy
© 2013 Cambridge Technical Communicators Slide 8
Mandatory requirements
• Define scope • Define ISMS policy• Define roles and responsibilities • Define the risk assessment approach &
criteria for accepting risk • Define a level of acceptability of risk • List assets & define owners• Identify threats, vulnerabilities, impact,
likely-hood and risk for each asset
© 2013 Cambridge Technical Communicators Slide 9
Mandatory requirements
• Estimate levels of risk and define if risks are acceptable or not
• Define risk options (accept, transfer, avoid or reduce) for risks that are not acceptable
• List controls to implement • Manage lifecycle of documentation • Obtain management approval of residual;
risks and for implementation plan • Manage resources
© 2013 Cambridge Technical Communicators Slide 10
Mandatory requirements
• Manage communications • Implement controls • Implement metric for each control • Monitor performance of the
controls • Review effectiveness of the
controls • Corrective actions • Preventive actions • Internal audits
• Management reviews • Write statement of
applicability
© 2013 Cambridge Technical Communicators Slide 11
ISMS Project Plan
• Identify documents and procedures required by ISO 27001;
Locate templates and forms
• List activities to implement security plan:
define scope; gap analysis, asset identification, risk assessment, SOA, policies, business continuity, internal audit
© 2013 Cambridge Technical Communicators Slide 12
Thank you
We appreciate your interest in CTC
Tel: +44 0870 803 2095Email: [email protected]
Web: www.technical-communicators.com