cspo isaca iso27k presentation v.02

8/7/2019 CSPO ISACA ISO27k presentation v.02

http://slidepdf.com/reader/full/cspo-isaca-iso27k-presentation-v02 1/22



Agenda

Life Cycle Overview

Initiating

Planning

Executing Controlling

Closing

Q & A

Relational Life Cycles

The ISO 27001 approach

Business Benefits

Critical Success Factors Control Framework

Statement of Applicability

Scope Statement

Management¶s Responsibility

Capability Maturity Model

Topics



Ice breaker



Life Cycle Overview



Initiating



Control FrameworkInformation Security and Privacy

control framework is comprised of

multiple levels and specific controlpoints mapped from the

organizations business plans to

departmental goals and objectives

and strategic and tactical planning.

This diagram attempts to explain the relationship between each level of control within the framework and for over all

Confidentiality, Integrity and Availability of information assets and system resources.



Reduce risks and threats to the Confidentiality, Integrity and Availability of the

organization¶s Information Assets and System Resources by providing policies,practices and standards designed to mitigate or eliminate all known risks and threat.

Improve the effectiveness and efficiency of Security and Privacy Management by

implementing a world class best practice and framework for consistent, concise

security administration.

Improve effectiveness and efficiencies of existing security and privacy mechanismsby formalizing new practices to monitor compliance and maintain sensitive data

awareness.

Improve reassurance testing and validation outcomes by Internal Audit and External

Auditors to further assure the organization¶s Executive Management Team that the

organization¶s Information Assets and System Resources are in secure.

Reduce the likelihood that an accidental security incident or breach of personal

information caused by the organization¶s staff could have an adverse affect on the

organization¶s reputation or liabilities potentially leading to financial losses, by

providing an ongoing information security education and awareness program.

Business Benefits



Critical Success Factors Information security policy, objectives, and activities that reflect business objectives;

An approach and framework to implementing, maintaining, monitoring, and improvinginformation security that is consistent with the organizations culture;

Visible support and commitment from all levels of management, especially Executives;

A good understanding of the information security requirements, risk assessment, and riskmanagement;

Effective marketing of information security to all managers, employees, and other parties toachieve awareness;

Distribution of guidance on information security policy and standards to all managers,employees and other parties;

Provision to fund information security management activities;

Providing appropriate awareness, training, and education;

Establishing an effective information security incident management process;

Implementation of a measurement system that is used to evaluate performance in informationsecurity management and feedback suggestions for improvement.



Planning



ISO27k approach

Information Security Management System

´Plan-Do-Check-Actµ



Capability Maturity Model



Finalize the approval of the organization¶s information security policy

before initiating employee education and awareness

Facilitate managers meeting, and departmental meeting to providemanagers and employee with an ISO perspective tailored to their workenvironment

Facilitate employee education and awareness before conducting internalaudits against compliance with it

Conduct ISO27k conformance audits against employee compliance with theinformation security policy to provide assurance that the organization iscomplying with ISO27k standards

Build up 1 ± 3 months worth of evidence that the organization is complyingwith ISO27k standards before we can achieve certification

The ISO27k certification will provide our partners, members, clients /customers and regulatory officials with independent evidence of theorganizations standard-of-care for information protection

Critical Timeline Dependencies



Execution



Management·s ResponsibilityManagement commitment (ref. ISO27k clause 5.1)

Management shall provide evidence of its commitment to the establishment, implementation, operation,

monitoring, review, maintenance and improvement of the ISMS by:

a) establishing an ISMS policy;

b) ensuring that ISMS objectives and plans are established;

c) establishing roles and responsibilities for information security;

d) communicating to the organization the importance of meeting information security objectives and

conforming to the information security policy, its responsibilities under the law and the need for

continual improvement;

e) providing sufficient resources to establish, implement, operate, monitor, review, maintain and

improve the ISMS (ref. ISO27k clause 5.2.1);

f) deciding the criteria for accepting risks and the acceptable levels of risk;

g) ensuring that internal ISMS audits are conducted (ref. ISO27k clause 6); and

h) conducting management reviews of the ISMS (ref. ISO27k clause 7).



Documentation

Statement of Applicability (SoA) Matrix

Non-conformance Template Legal Obligations Matrix

Compliance Matrix

Asset Inventory Matrix

Standard Threat-Risk Assessment

Meeting Minutes Template Standard Communication Format

Status Reporting Template

Risk Treatment Plan

Standard Policy Format

Master Document Inventory

Standard Audit Plan Continual Improvement Plan

ISMS Manual

Risk Assessment Methodology

Audit Methodology

Internal Audit Practice

Document Control Practice

Corrective and Preventative Practice

Information Handling Practice



Scope



Statement of Applicability

Please note: ISO/IEC 27001 Statement of Applicability did not indicate that the

organization had an exclusion from the base ISO27k controls.



Legal Obligations



Control Matrix



Controlling



Scope Stage One Timeline

Oct Dec Aug Sept JanJuly

2007-08

Master Action Plan

Facilitate ISO27k training/awareness

BSI pre-certification assessment

Provide practice training as necessary

Implement ISO27k/ISMS program

Formalize ISO27k/ISMS Statement

of Applicability

Communications plan

BSI ± ISO27k/ISMS Nonconformities plan

Draft/Publish ISO27k/ISMS Policies

Coordinate a Desktop Review

Coordinate Full Audit

Registration Completed

GT05 Internal Audit Practice ref. # 6 & 4.3.1

GT02a Risk Treatment Plan ref. # 4.3.1

GT04 Continual Improvement ref. # 8 ± 4.3.1

GT02b Statement of Applicability ref. # 4.3.1

GT01 Management Review Practice ref. # 7

GT03 Information Handling Practice ref. # 7.1 - 7.2.2

ISO27k/ISMS Scope Statement



Questions

cspo isaca iso27k presentation v.02

Documents