20071121_nalin_is27001 & bs25999

8/8/2019 20071121_Nalin_IS27001 & BS25999

1/26

A Glance into ISO 27001 and BS 25999

Nalin Wijetilleke MBA,CISA,PMP,CBCP,BS7799LA

8/8/2019 20071121_Nalin_IS27001 & BS25999

2/26

Agenda

Information & Standards an introduction ISO 27001 an overview BS25999 a quick walkthrough

Wrap-up

8/8/2019 20071121_Nalin_IS27001 & BS25999

3/26

What is the life blood ofany organization?

Can be in various forms

Information

8/8/2019 20071121_Nalin_IS27001 & BS25999

4/26

Some information is valuable

as well as sensitive!Must maintain its

Confidentiality

Integrity

Availability
http://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpghttp://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpghttp://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpghttp://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpghttp://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpghttp://www.direct-safes.co.uk/Mini_Banker_chubb_safes.jpg

8/8/2019 20071121_Nalin_IS27001 & BS25999

5/26

Information is an

AssetRe

mote

Access

Contr

ol

Systems

Failure

Data

Theft

Viru

ses/

Cybe

r

attack

Threa

tThreat

Thre

at

8/8/2019 20071121_Nalin_IS27001 & BS25999

6/26

Information Securityprotects assets from wide range of threatsin order to ensure business continuity,minimize business damage and maximizeROI and business opportunities

8/8/2019 20071121_Nalin_IS27001 & BS25999

7/26

Why do you need a management code of

practice and a standard?

To achieve effectiveness and efficiency in

handling & protecting Information

Security that is achieved by technical means should

be supported by appropriate management practice

To benchmark against international organizations

Agreed Repeatable way of doing things

8/8/2019 20071121_Nalin_IS27001 & BS25999

8/26

ISO 27001

Published in October 2005 replacing BS7799part 2

Objective is to establish, implement, operate,monitor an Information Security ManagementSystem

Design and implementation is according to theneeds and objectives of the organization

Belong to the family of IS security standards ISO 27000

8/8/2019 20071121_Nalin_IS27001 & BS25999

9/26

8/8/2019 20071121_Nalin_IS27001 & BS25999

10/26

Implementing ISO 27001

PDCA cycle

Dr Edwards Deming

8/8/2019 20071121_Nalin_IS27001 & BS25999

11/26

ISO 27001 is NOT

about IT Controls

on how to implement the stated controls on total enterprise Risk management about reacting to information security incidences or failures about aimlessly introducing security controls even though

best practices

8/8/2019 20071121_Nalin_IS27001 & BS25999

12/26

Challenges in implementing ISO 27001

Lack of understanding of Information Security Risks at

Corporate level Assumption of current practices as Best practices Fail to justify the investment on establishing Information

Security Governance framework

Non availability of a champion/evangelist Inability to sustain the practice/certification

8/8/2019 20071121_Nalin_IS27001 & BS25999

13/26

International ISMS Register - UAE

Dubal Dubai Holding GPO Electronic Document Processing Center

Department of Health & Medical Services Govt of Dubai Mashreqbank NBD

Network International (member of Emirates-NBD Holding Co) Paramount Computers RAKBANK

Reference : http://www.iso27001certificates.com/
http://www.iso27001certificates.com/http://www.iso27001certificates.com/

8/8/2019 20071121_Nalin_IS27001 & BS25999

14/26

BS 25999

BusinessContinuity

Management

is on

8/8/2019 20071121_Nalin_IS27001 & BS25999

15/26

BS 25999

BS25999 part 1 code of practice (releasedin Dec last year) Part 2 BCM Specificationsreleased on November 20th 2007

Objective is to establish, Best Practice framework to

guide business

Design and implementation is according to the needs andobjectives of the organization

Specify Best Practice and not the general practice

8/8/2019 20071121_Nalin_IS27001 & BS25999

16/26

PDCA Model applied to BCM Implementation process

8/8/2019 20071121_Nalin_IS27001 & BS25999

17/26

1. Setup the Program

BCM Life Cycle

8/8/2019 20071121_Nalin_IS27001 & BS25999

18/26


2. What have you got structure, functions, risks

BCM Life Cycle

8/8/2019 20071121_Nalin_IS27001 & BS25999

19/26


2. What have you got structure, functions, risks3. How do you recover who,

what & when

BCM Life Cycle

8/8/2019 20071121_Nalin_IS27001 & BS25999

20/26



what & when4. Recovery Planning

BCM Life Cycle

8/8/2019 20071121_Nalin_IS27001 & BS25999

21/26




5. Conduct Test, record andimprove

BCM Life Cycle

8/8/2019 20071121_Nalin_IS27001 & BS25999

22/26




5. Conduct Test, record andimprove

6. Build Culture

BCM Life Cycle

8/8/2019 20071121_Nalin_IS27001 & BS25999

23/26

Clause 1 - Scope and applicability

Clause 2 - Terms and definitions for the BS25999 perspectives

Clause 3 - Overview of Business Continuity Management (BCM)Clause 4 - The business continuity Management PolicyClause 5 - BCM Program managementClause 6 Understanding the organization

Clause 7 Determining the Business Continuity StrategyClause 8 Developing & implementing a BCM responseClause 9 BCM Exercising maintaining and reviewing BCMarrangements

Clause 10 Embedding BCM in the organizations culture.

BS25999 Domains

8/8/2019 20071121_Nalin_IS27001 & BS25999

24/26

BS25999 Benefits

Demonstrate an accepted level ofpreparedness for a crisis or adisaster

Clear business advantage Best practice and not general

practice It is a single reference point Scalable and straightforward Allows confidence in the supply

chain

Other.

8/8/2019 20071121_Nalin_IS27001 & BS25999

25/26

Wrap-up

Standards evolution is based on its maturity, General they are bornas PAS (Publicly available specification) and become BS and finally

ISO

ISO 27001 & BS 25999 are standards leading to better governance

They are Best practices and not general practices

Standards are scalable and straightforward, applicable to small,SME or a large organization

They are also applicable globally in an industry

BS25999 is the most latest standard and has10 domains to address

8/8/2019 20071121_Nalin_IS27001 & BS25999

26/26

[email protected]

20071121_nalin_is27001 & bs25999

Documents