iso 27001 information security management systems
TRANSCRIPT
![Page 1: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/1.jpg)
ISO 27001 Information Security Management Systems
Prepared by
Alain Kallas, Front Defense FZ LLC
In Collaboration with
Mideast Data Systems
![Page 2: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/2.jpg)
Agenda• Introduction
– What is Information Security?– What is ISO 27001?
• Information Security Management System (ISMS) Requirements– PDCA Model– Risk Assessment– Management Responsibilities– Internal ISMS Audits– Management Review of the ISMS– ISMS Improvement
![Page 3: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/3.jpg)
Agenda• Controls Objectives and Controls
– Security Policy– Organization of Information Security – Asset Management– Human Resources Security– Physical and Environmental Security– Communications and Operations Management– Access Control– Information Systems acquisition, development and maintenance– Information Security Incident management– Business Continuity Management– Compliance
![Page 4: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/4.jpg)
• What is Information?
The Basics
![Page 5: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/5.jpg)
What is Information?
‘Information is an asset which, like other important business assets, has value to an organization and consequently needs
to be suitably protected’
![Page 6: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/6.jpg)
‘Information can exist in many forms. It can be printed or written on paper, stored
electronically, transmitted by post or using electronic means, shown on films, or spoken
in conversation.
Whatever form the information takes, or means by which it is shared or stored, it
should always be appropriately protected.’
What is Information?
![Page 7: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/7.jpg)
Information – The Lifeblood• Banks• Software Houses• National Security• Charities• Product Secrets• Health Care • Financial Models• Police Records
The list is long!……..
![Page 8: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/8.jpg)
Created
Processed Transmitted
Stored Destroyed?
Used – (for proper and improper purposes)
Corrupted!Lost!
What Can be Done with Information?
Information can be:
![Page 9: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/9.jpg)
Information Security Risks
• (Some) Categories of Information Security Risk:
– Information theft – Intrusion and subversion of system resources – Denial of service– Loss – Corruption
![Page 10: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/10.jpg)
Lack of appreciation of threatsStaff / Contractors / EmployeesE-mail and internet accessPhysical SecurityOutsourcingRemote working
Vulnerabilities
![Page 11: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/11.jpg)
FraudDisclosureDenial of ServiceDamage to ReputationLoss of CustomersShareholder/Stakeholder RelationsLegal and Regulatory action
= Damage to Image
Business Risks
![Page 12: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/12.jpg)
System Access & Networks
Where are the compromises coming from?
![Page 13: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/13.jpg)
Telephone Networks and their Growth
• Global network• Anyone can access any connected machine from
any other connected machine• Cheap and accessible
![Page 14: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/14.jpg)
US defense systems were attacked.
65% of those attacks were successful.
Internet and its Problems
• Staggering growth rate• Anyone can access any connected machine from any
other connected machine• Good guys and the bad guys are all connected
![Page 15: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/15.jpg)
APPLICATIONSAPPLICATIONS
DATABASESDATABASES
OPERATING SYSTEMSOPERATING SYSTEMS
NETWORK SERVICESNETWORK SERVICES
![Page 16: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/16.jpg)
Cited Examples of Common Attacks
• Forged e-mail ‘from’ addresses. • E-mail with "executable" enclosures to launch viruses and
other attack programs. • Attractive programs for download that have hidden and
possibly malicious or damaging side-effects (‘Trojan horse’ programs).
• Computer boot-sector viruses to crash systems. • Spoofing to conceal the true source of a message. • Hijacking to masquerade as a legitimate correspondent.
![Page 17: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/17.jpg)
Cited Examples of Common Attacks
• Password sniffing to steal a user's on-line identity. • Interception of communications traffic or ‘eavesdropping’. • Various forms of data or protocol flooding to crash a
system or network .• Subversion of operating systems. • Use of default account names and passwords. • Theft of password files and cracking of weak passwords.
![Page 18: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/18.jpg)
A recent test using such a program on an University NT network successfully cracked all 10,000+ passwords.
Password Crackers• People tend to use easily remembered passwords• Passwords often have personal significance• Use dictionaries to crack passwords• Commercially available programmes to crack passwords
![Page 19: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/19.jpg)
Bribe the staff
The Weakest Link• Question:• If you had a budget of $1,000,000 how would you crack a
HIGH security system?
![Page 20: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/20.jpg)
Equipment Failure• Lack of Planned Disaster Recovery and
back-ups• No UPS (Un-interruptible Power Supply)
![Page 21: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/21.jpg)
Computer theft is the fastest growing crime in the UK.
Every local authority in Londonhas been hit by computer theft.
Every £1 of IT equipment lost or stolen costs £15 in business disruption.
Computer theft cost British industry over £1.5 billion.
Theft
![Page 22: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/22.jpg)
• No regular tape back-up stored in fireproof safes.
• No extra set held off-site.
• Back up tapes not verified and tested.(50% of disc back-ups tested never work)
• Important paper documents, e.g. contracts, not protected and/or copied.
Absence of Disaster Recovery Plan
![Page 23: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/23.jpg)
NOTE:If the building is unsafe the Fire Services will not let people back in. Information may be unobtainable for weeks.This is an example of DR planning that has not been thought through.
![Page 24: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/24.jpg)
• Paper documents –on desks,in waste bins,left on photocopiers
• Whiteboards and flipcharts
• Telephone conversations overheard
• Conversations on public transport
Non – IT
![Page 25: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/25.jpg)
What is Information Security?
‘Information security protects information from a wide range of threats in order to ensure business continuity, minimise business damage and maximise return on investment and business opportunities’.
![Page 26: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/26.jpg)
The three basic components:
• Confidentiality
• Integrity
• Availability
![Page 27: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/27.jpg)
Confidentiality
Ensuring that information is accessible only to those authorised to have access.
![Page 28: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/28.jpg)
Integrity
Safeguarding the accuracy and completeness of information and processing methods.
![Page 29: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/29.jpg)
Availability
Ensuring that authorised users have access to information and associated assets when required.
![Page 30: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/30.jpg)
In some organizations, integrity and/or availabilitymay be more important than confidentiality.
Confidentiality AvailabilityIntegrity
![Page 31: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/31.jpg)
INFORMATIONINFORMATION
Information Security
ATTACK
ATTACK
ATTACK
ATTACK
ATTACK
ATTACK
![Page 32: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/32.jpg)
ISO 27001 defines best practice for Information Security Management
• Without a formal Information Security Management System such as a ISO 27001 based system, security will be breached.
• Information Security is a management process, not a technological process.
![Page 33: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/33.jpg)
I’m committed
Management commitment• Business managers need to be seen to be
committed (Process Ownership)• Expect Chief Executive/Managing Director
to demonstrate commitment (Risk Management Decisions)
![Page 34: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/34.jpg)
Design and Implementation of an Information Security Management
System
![Page 35: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/35.jpg)
Section 4: Information security management systemSection 5: Management responsibilitySection 6: Internal ISMS auditsSection 7: Management review of the ISMSSection 8: ISMS improvement
ISO 27001 Requirements
![Page 36: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/36.jpg)
General Requirements
• Develop, implement, maintain and continually improve
• Policy and objectives• PDCA
![Page 37: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/37.jpg)
Plan Do Check Act
• Information security policy• Scope of the ISMS• Risk identification and assessment• Risk treatment plan (planning)
![Page 38: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/38.jpg)
Plan Do Check Act
• Resources, training and awareness• Risk treatment (control implementation)
![Page 39: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/39.jpg)
Plan Do Check Act
• Routine checking• Learning from others• Audits• Management review• Trend analysis
![Page 40: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/40.jpg)
Plan Do Check Act
• Non-conformity• Corrective and preventive actions
![Page 41: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/41.jpg)
Implementation
![Page 42: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/42.jpg)
ISMS Framework
Critical success factors• Experience has shown that the following
factors are often critical to the successful implementation of information security within an organisation:
![Page 43: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/43.jpg)
ISMS Framework• Security policy, objectives and activities that reflect
business objectives;• An approach to implementing security that is
consistent with the organizational culture;• Visible support and commitment from management;• A good understanding of the security requirements,
risk assessment and risk management;• Effective marketing of security to all managers and
employees.
![Page 44: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/44.jpg)
ISMS Framework
• Distribution of guidance on information security policy and standards to all employees and contractors;
• Providing appropriate training and education;• A comprehensive and balanced system of
measurement which is used to evaluate performance in information security management and feedback suggestions for improvement.
![Page 45: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/45.jpg)
ISMS Framework
• Documentation • Evidence of actions
– undertaken to establish the management framework.
• Summary of the management framework– including policy, control objectives, implemented
controls and summary of controls.
![Page 46: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/46.jpg)
ISMS Framework
• Procedures– to implement the controls and describe– responsibilities and actions.– covering the management and operation of
the ISMS and describing responsibilities and actions.
![Page 47: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/47.jpg)
ISMS – Security Policy‘A policy document shall be approved by
management, published and communicated, as appropriate, to all
employees’
![Page 48: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/48.jpg)
The management of these relationships is often the most difficult area for consideration in the ISMS.
ISMS – Scope
• Does the documentation describe unambiguously the scope of the ISMS?
• Are significant exclusions from the scope clearly identified and explained?
• Boundaries/interfaces must be clearly understood (important for the management of customer/supplier/partner relationships).
![Page 49: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/49.jpg)
If the scope is limited to part of an organization, its contents and audience will most probably be different from a scope covering the entire organization.
Where the ISMS is to satisfy external customers, there may well be externally facing and internally facing policies.
Therefore it is always (?) preferable to define the scope first, which will then determine the style and content of the policy(ies).
Scope
![Page 50: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/50.jpg)
The organization will need to present its scope for a proposed information security management system to meet the requirements of ISO 27001.
The scope shall be appropriate for the needs of customers (whether internal and/or external), and shall include the management of interfaces with all partners, suppliers and customers that may reasonably be considered to have an impact on the security of the object information.
Scope
![Page 51: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/51.jpg)
In the assessment of the scope, it will be expected that the organization has defined the contracts, service level agreements, memoranda of understanding and any other methods for implementing information security management across the interfaces with partners, suppliers and customers, etc.
Scope
![Page 52: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/52.jpg)
Consider the following:
Difficulties in defining scope?
![Page 53: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/53.jpg)
Defining Participants
Contracts and agreements
![Page 54: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/54.jpg)
ISMS – Risk Assessment• Has a formal Risk Assessment been identified,
performed and documented?• Has the selected method of Risk Assessment been
justified by an appropriate member of staff?• Does the Risk Assessment identify the vulnerabilities
of assets, the threats and potential impacts on the organization?
• Does the Risk Assessment identify potential losses of CIA on assets?
• Is Risk Assessment conducted at appropriate intervals and when changes occur to the system/ organization?
![Page 55: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/55.jpg)
Not always IT!
Security Risks
• A Security risk is the potential that a given threat will exploit vulnerabilities to cause loss or damage to an asset or group of assets. Examples are?
![Page 56: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/56.jpg)
Risk Assessment• ISO 27001 requires a Risk Assessment to be carried
out to identify threats to assets.
![Page 57: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/57.jpg)
Asset Value and Potential Impacts
What is the value of an asset? (in the event of an incident)
![Page 58: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/58.jpg)
Assets
• Examples of assets associated with information systems are:– Information assets – data files, user manuals etc.– Paper documents – contracts, guidelines etc.– Software assets – application & systems software
etc.– Physical assets – computer, magnetic media etc.– People – customers, personnel etc.– Company image and reputation– Services – communications, technical etc.
![Page 59: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/59.jpg)
The value(s) will be measured in terms of impact on the organization, its suppliers, partners, customers and other interested parties in the event of a breach of security affecting confidentiality, integrity or availability.
The value(s) of the assets shall be established relevant to the context in which they are employed/ exist.
The value(s)
![Page 60: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/60.jpg)
More meaningful values need to be defined relative to impact of a security breach. Care should be exercised as judgements are subjective, and too much ‘granularity’ or ‘weighting’ may give the perception of a pseudo-scientific approach.
Generally, 4 ratings e.g ‘Very high’, ‘High’, ‘Medium’ and ‘Low’ will be adequate for the purpose of ranking risks.
Context Specific Asset Values
![Page 61: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/61.jpg)
Only the process owners (or their customers) can realistically define asset values, as it is important to make the judgement for each context in which an information asset exists or is used.
Context Specific Asset Values
![Page 62: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/62.jpg)
The organization will demonstrate that it has identified a suitable risk assessment method and conducted a risk assessment covering all assets identified.
Risk Assessment
![Page 63: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/63.jpg)
Considerations:• Does it identify vulnerabilities and threats?• Does it attempt to evaluate probabilities of threats
occurring? • Would someone else using the same data come
upwith the same results?
• Is the process repeatable and sustainable?• Does it allow for analysis of impact of changes?
Evaluating Methods
![Page 64: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/64.jpg)
Deliverables from any risk assessment• The process should identify any significant risk to all
identified assets in the context of use. • The process should provide a comprehensive report
to management.• The report should rank the risks according to
potential impact on the organization and its customers.
• It should identify any quick wins where it is possible to reduce risks substantially, quickly and cost effectively.
• It should, where possible, identify alternative solutions with pro’s and con’s.
![Page 65: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/65.jpg)
Risk Assessment Process
Monitor and Review
Communicate and Consult
EstablishContext
Identifythe
Risks
Analysethe
Risks
Evaluatethe
Risks
Controlthe
Risks
Assess Risks
![Page 66: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/66.jpg)
Risk Identification
Vulnerabilities are weaknesses associated with information assets. These weaknesses may be exploited by a threat causing a security breach that may result in loss,damage or harm to these assets.
![Page 67: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/67.jpg)
Threats
A threat has the potential to cause an unwanted incident which may result in harm to a system or organization and its assets
![Page 68: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/68.jpg)
Threats
• Assets are subject to many kinds of threats which exploit vulnerabilities, examples of which are?
![Page 69: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/69.jpg)
Vulnerabilities
A vulnerability in itself does not cause harm, it is merely a condition or set of conditions that may allow a threat to affect an asset
![Page 70: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/70.jpg)
Vulnerabilities
• Vulnerabilities are weaknesses associated with an organization's assets, examples are?
![Page 71: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/71.jpg)
The objective of analysis is to separate the minor risks from the major risks, and provide data to assist in the evaluation and control of risk.
Risk analysis involves consideration of the source of the risk, determination of the consequence and the likelihood of those consequences occurring.
Evaluate the Risks
![Page 72: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/72.jpg)
An organization certified to ISO 27001 was struck by lightning shortly before the assessment.
Another company certified to ISO 27001 was ram-raided. They were able to meet customer commitments thanks to their ISMS.
Probability
• What is the probability of an incident?
![Page 73: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/73.jpg)
This is often subjective and will need to be evaluated with the asset owner and probably with expert assistance. The main questions you need to ask are:
What is the likelihood of this happening?
How often will it happen?
When will it happen?
Probability
![Page 74: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/74.jpg)
The organization will rank the risks and identify any measures that may be employed to provide ‘quick wins’ to reduce any of the perceived risks.
Note: ‘quick wins’ may include simple expedients such as controlling physical access by locking doors.
Expectation
![Page 75: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/75.jpg)
Threats Vulnerabilities
Controls Risks Assets
SecurityRequirements
Asset Values
protectagainst
met by
exploit
increase increaseexpose
indicate increase have
reduce
Potential impact on Business
![Page 76: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/76.jpg)
ISMS – Risk Treatment
• Has the organization's approach to Risk Treatment been defined?
• Has the required acceptable level been defined?
• Are (control) options produced for management decisions?
![Page 77: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/77.jpg)
If the requirement has not been implemented, why not?
– Risk, not justified by risk exposure– Budget, financial constraints– Environment, influence on safeguards;
climate, space etc.– Technology, some measures are not
technically feasible– Culture, sociological constraints– Time, some requirements cannot be
implemented now– N/A, not applicable – Others
![Page 78: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/78.jpg)
Risk Treatment – Plan
• Applying controls• Accepting the risk• Avoiding the risk• Transferring the risk
![Page 79: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/79.jpg)
Acceptable Level of Risk
• It is not possible to achieve total security
• There will always be residual risk• What degree of residual risk is
acceptable to the organization?
![Page 80: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/80.jpg)
Risk Assessment ProcessAsset Identification and Valuation Identification of
Vulnerabilities Identification of ThreatsEvaluation of Impacts
Business Risk
Review of Existing Security Controls Identification of
new Security Controls Policy and
ProceduresImplementation and Risk ReductionRisk Acceptance
(Residual Risk)
Risk Assessment
Risk ManagementRating/ranking of Risks
![Page 81: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/81.jpg)
ISMS – Controls
• Are selected controls based on Risk Assessment results?
• Is it clear from the Risk Assessment which controls are baseline measures, which are mandatory and which may be considered optional?
• Do controls reflect the organization’s risk management strategy?
![Page 82: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/82.jpg)
detection
deterrence
prevention
limitation
correction
recovery
monitoring
awareness
Effective
Security
Controls
• Effective Security generally requires combinations of the following:
![Page 83: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/83.jpg)
ISMS – Statement of Applicability
• Has a Statement of Applicability (SoA) been prepared which identifies the reason for selection of appropriate controls and identifies excluded controls?
Note:This is the key document for assessment.It is the linking document between ISO 27001 and the ISMS. It will be referenced from the certification.
![Page 84: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/84.jpg)
By its nature of being a ‘selective’ standard (i.e. apart from Security Policy, there are no mandatory controls), the requirement for a statement of applicability is essential.
The Statement of Applicability may be used by a customer to evaluate the information security management system.
The Statement of Applicability is the key document in the third party assessment process.
The Statement of Applicability
![Page 85: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/85.jpg)
Procedures
Work Instructions,checklists,
forms, etc.
Records
Security ManualPolicy, scope
risk assessment,statement of applicability
Describes processes who,what, when, where.
Describes how tasks and specific activities are done
Provides objective evidence of compliance to ISMS requirements
Level 1Management framework
policies relating ISO27001
Level 2
Level 3
Level 4
ISMS Documentation
![Page 86: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/86.jpg)
Documentation Requirements
GeneralISMS shall include:• Documented security policy and objectives• Scope of the ISMS• Risk assessment report• Risk treatment plan
![Page 87: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/87.jpg)
Documentation Requirements
Documents needed for:• Effective planning, operation & control• Records• Statement of Applicability (SoA) [exclusions shall be recorded]
![Page 88: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/88.jpg)
Control of DocumentsDocumented procedures shall be established to define the controls needed to:
• Approve documents for adequacy prior to issue
• Review and update as necessary & re-approve
• Changes & the current revision status of documents are identified
• Relevant versions of applicable documents are available at point of use
![Page 89: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/89.jpg)
Control of Documents
• Legible and readily identifiable
• Documents of external origin are identified
• Distribution of documents is controlled
• Prevent the unintended use of obsolete documents
• Apply suitable identification if retained for anypurpose
![Page 90: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/90.jpg)
Control of Records
• Records established and maintained to provide evidence of conformity to requirements and to the effective operation of the ISMS shall be controlled
• Records may be manual or automatic
![Page 91: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/91.jpg)
Control of RecordA documented procedure shall be established to definethe controls need for:• Identification, storage, protection, retrieval, retention
time, disposition• Legal requirements need to be considered &
overseas?• Records need to be: legible, readily identifiable and
retrievable• Performance of the process security incidents• Extent of records – management decide
![Page 92: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/92.jpg)
Management responsibility
Management commitmentManagement shall provide evidence of its commitment by:• Communicating the importance of meeting security
objectives, legal & regulatory requirements and continual improvement
• Establishing – security policy, objectives & plans• Conducting management reviews• Deciding the level of residual risk
![Page 93: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/93.jpg)
Management responsibility
Provision of resources – to:• Set up and maintain the ISMS• Security procedures support the business requirements• Identify & address legal, regulatory and contractual
requirements• Adequate security of implemented controls,• Carry out reviews• Improve the process
![Page 94: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/94.jpg)
Management responsibility
Training, Awareness and CompetencyPersonnel assigned responsibilities in the ISMS shall be competent.• Provide training• Evaluate effectiveness of training• Ensure employees are aware• Maintain records of education, experience and qualifications
![Page 95: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/95.jpg)
Management Review of the ISMS
Top management shall review at planned intervals etc.•Review input•Review output
![Page 96: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/96.jpg)
Management Review of the ISMS
Internal ISMS Audits• Management shall ensure audits are
conducted at planned intervals
![Page 97: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/97.jpg)
ISMS Improvements
Continual improvement• Seek continual improvement• Improve the effectiveness of the ISMS through:
Security policySecurity objectivesResults of security reviewsSecurity auditsCorrective actionsPreventive actionsManagement review
![Page 98: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/98.jpg)
ISMS Improvements
Corrective action• Shall take actions to eliminate causes of
nonconformities, in order to prevent recurrence.• Documented procedure within the ISMS shall define:
Identifying nonconformitiesDetermining the causesEvaluating the need for action to prevent re-
occurrenceDetermining & implementing corrective actionRecording the resultsReviewing actions for effectiveness
![Page 99: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/99.jpg)
ISMS Improvements
Preventive action• Determine actions to guard against future
nonconformities• Documented procedure shall define:
Identifying potential nonconformities and their causes
Determining & implementing preventive actionsRecording the resultsReviewing preventive actions takenIdentifying changed risksEnsuring attention on significantly changed risks
![Page 100: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/100.jpg)
The organization must realise that risk assessment and risk management are not one-off events and the ISMS must make clear in the management and operational procedures how the system is to be re-evaluated and updated.
Re-evaluating the system
![Page 101: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/101.jpg)
Overview of Controlsfrom
ISO 27001
![Page 102: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/102.jpg)
‘Not all the controls described will be relevant to every situation, nor can they take account of local environmental or technological constraints, or be present in a form that suits every potential user in an organization’.
Control Objectives and Controls
![Page 103: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/103.jpg)
Security PolicyOrganisation of Information SecurityAsset ManagementHuman Resources SecurityPhysical and Environmental SecurityCommunications and Operations Management
Information security incident managementBusiness Continuity Management Compliance
ISO 27001 CONTROLS
Access ControlInfo sys acquisition, development & maintenance
![Page 104: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/104.jpg)
Objective –
To provide management direction and support for information security.
Policy Document
Information Security Policy Document
![Page 105: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/105.jpg)
Legal Regulatory
StandardsRules and regulationsthat are mandatory Requirements
Framework ofunderstandingand working
Guidelines Tools to do it
ProceduresHow to applythe polices
How to do it
Policy StatementHigh level document giving general outline of intent
Specific policies relatingto and supporting thepolicy statement
IntentPolicies
![Page 106: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/106.jpg)
Security Policy• Essential• Without this the security will be
fragmented and most likely ineffective (and will not meet the requirements of ISO 27001)
![Page 107: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/107.jpg)
I’m responsible
Requirement• Policy should leave no doubt that every
individual member of staff will be held accountable under the policy
![Page 108: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/108.jpg)
Policy types• Small organizations may only need one
policy.• Large organizations may need different
ones for different parts of the organization or even different systems.
![Page 109: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/109.jpg)
Security PolicyStatement
Policy Content• Simple and to-the-point• Top-level policy on one sheet of paper• Lower level policy available to all
![Page 110: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/110.jpg)
Organisation of Information Security:
ISO 27001 CONTROLS
To manage information security within the organization.
To maintain the security of the organizationinformation and information processing facilities that are accessed by external parties.
![Page 111: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/111.jpg)
SecurityManager
I.T. ProcessOwners
SteeringCommittee
Information Security Infrastructure
• Management information security forum• Information security co-ordination• Allocation of information security responsibilities• Authorisation process for information processing
facilities• Specialist information security advice• Co-operation between organizations• Independent review of information security
![Page 112: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/112.jpg)
Security of Third Party Access• Identification of risks from third party
access• Security requirements in third party
contracts
![Page 113: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/113.jpg)
Outsourcing Contract
Outsourcing• Security requirements in outsourcing
contracts
![Page 114: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/114.jpg)
Asset Management:To achieve and maintain appropriate protection
of organizational assets.To ensure that information receives an
appropriate level of protection.
ISO 27001 CONTROLS
![Page 115: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/115.jpg)
Asset Classification and Control
Objective:To maintain appropriate protection of organizational assets- Accountability for assets- Information classification
![Page 116: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/116.jpg)
Assets
What are assets?
Must be those relevant to the scope of the Information Security
Management System
![Page 117: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/117.jpg)
AssetsAn Asset is something an organization assignsvalue to, examples include:
– Information assets– Paper documents– Software assets– Physical assets– People– Company image and reputation– Services
![Page 118: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/118.jpg)
Accountability for Assets
Inventory of assets
![Page 119: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/119.jpg)
Top Secret
Secret
Confidential
Restricted
Restricted until
1/1/2005
‘Protectively Marked’
Information Classification• Classification guidelines• Information labelling and handling
![Page 120: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/120.jpg)
Human Resources Security:
Prior to employment.During employment.Termination or change of employment.
ISO 27001 CONTROLS
![Page 121: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/121.jpg)
Security in Job Definition and Resourcing
• Including security in job responsibilities• Personnel screening and policy• Confidentiality agreements• Terms and conditions of
employment
![Page 122: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/122.jpg)
User Training
• Information security education and training
![Page 123: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/123.jpg)
Physical and Environmental Security:
To prevent unauthorized physical access, damage and interference to the organizations premises and information.
To prevent loss, damage, theft or compromise of assets and interruption to the organizationactivities.
ISO 27001 CONTROLS
![Page 124: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/124.jpg)
I.D.
Secure Areas• Physical security perimeter• Physical entry controls• Securing offices, rooms and facilities• Working in secure areas• Isolated delivery and loading areas
![Page 125: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/125.jpg)
Equipment Security• Equipment siting and protection• Power supplies• Cabling security• Equipment maintenance• Security of equipment off-premises• Secure disposal or re-use of equipment
![Page 126: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/126.jpg)
Controls• PCs can be stolen• Fileservers are not much bigger• Physical access controls may be required• Visitors/contractors may need escorting
![Page 127: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/127.jpg)
General Controls
• Clear desk and clear screen policy• Removal of property
![Page 128: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/128.jpg)
Communications and Operations Management:
ISO 27001 CONTROLS
Operational procedures and responsibilities.Third party service delivery management.System planning and acceptance.Protection against malicious and mobile code.Back-up.Network security management.Media handling.Exchange of information.Electronic commerce services.Monitoring.
![Page 129: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/129.jpg)
Operational Procedures and Responsibilities
• Documented operating procedures• Operational change control• Incident management procedures• Segregation of duties• Separation of development and operational facilities• External facilities management
![Page 130: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/130.jpg)
2005
2001
System Planning and Acceptance
• Capacity planning• System acceptance
![Page 131: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/131.jpg)
Protection Against Malicious Software
• Controls against malicious software
![Page 132: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/132.jpg)
Housekeeping
• Information back-up• Operator logs• Fault logging
![Page 133: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/133.jpg)
Network Management• Network controls
![Page 134: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/134.jpg)
Media Handling and Security• Management of removable computer media• Disposal of media• Information handling procedures• Security of system documentation
![Page 135: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/135.jpg)
Exchanges of Information and Software
• Information and software exchange• Security of media in transit• Electronic commerce security• Security of electronic mail• Security of electronic office systems• Publicly available systems• Other forms of information exchange
![Page 136: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/136.jpg)
Note: Loading a patch may cause a problem if not tested for compatibility with other software.
Importance of back-ups for operatingsystems, applications and data.
Controlse.g. Software patches
• Software patches are frequently released to correct software bugs and/or to plug potential security weaknesses discovered.
• They are often free and may be downloaded from supplier’s web site.
• Organizations often ignore these.
![Page 137: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/137.jpg)
ISO 27001 CONTROLS
Access Control:
Business requirement for access control.User access management.User responsibilities.Network access control.Operating system access control.Application and information access control.Mobile computing and teleworking.
![Page 138: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/138.jpg)
You are notauthorised to access this
system
Business Requirements for Access Control
• Access control policy
![Page 139: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/139.jpg)
System Administrator
Menu
User Access Management
• User registration• Privilege management• User password management• Review of user access rights
![Page 140: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/140.jpg)
User Responsibilities
• Password use• Unattended user equipment
![Page 141: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/141.jpg)
Network Access Control• Policy on use of network services• Enforced path• User authentication for external connections• Node authentication• Remote diagnostic port protection• Segregation in networks• Network connection control• Network routing control• Security of network services
![Page 142: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/142.jpg)
Operating System Access Control
• Automatic terminal identification• Terminal log-in procedures• User identification and authentication• Password management system• Use of system facilities• Duress alarm to safeguard users• Terminal time-out• Limitation of connection time
![Page 143: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/143.jpg)
Application Access Control
• Information access restriction• Sensitive system isolation
![Page 144: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/144.jpg)
14:27
Monitoring System Access and Use
• Event logging• Monitoring system use• Clock synchronisation
![Page 145: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/145.jpg)
Mobile Computing and Teleworking
• Mobile computing• Teleworking
![Page 146: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/146.jpg)
ISO 27001 CONTROLS
Info sys acquisition, development & maintenance
Security requirements of information systems.Correct processing in applications.Cryptographic controls.Security of system files.Security in development and support processes.Technical Vulnerability Management.
![Page 147: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/147.jpg)
Specification;oiu;u;p’pjoiu;oiuiu;iou;oiu;oiuoipoipo
#po#po#[po#[po[po#[po[pophn ji
Hhhuhiu hiuyhuy8
J o’oiiuyfuytdyiuy;9uyouo;iui j;oij;
Ijijweifjerhf
uuhiuyrhqe wu24i5yiufu24
O#popo[po[ppo[po#[o#o#o#[o#o#o#hilugiuiugi
O[popo[po[po
;oiu;u;p’pjoiu;oiuiu;iou;oiu;oiuoipoipo
#po#po#[po#[po[po#[po[pophn ji
Hhhuhiu hiuyhuy8 iouo;iu;oiruoi
J o’oiiuyfuytdyiuy;9uyouo;iui j;oij;
Ijijweifjerhf ;ij;oirj;qiruqoriqur;
uuhiuyrhqeii; io;iu wu24i5yiufu24
O#popo[po[ppo[po#[o#o#o#[o#o#o#hilugiuiugi uoiuoi iouoiu;oiu;o9iu
O[popo[po[pou;oi
Business Case;oiu;u;p’pjoiu;oiuiu;iou;oiu;oiuoipoi
po
#po#po#[po#[po[po#[po[pophn ji
Hhhuhiu hiuyhuy8 iouo;iu;oiruoi
J o’oiiuyfuytdyiuy;9uyouo;iui j;oij;
Ijijweifjerhf ;ij;oirj;qiruqoriqur;
uuhiuyrhqeii; io;iu wu24i5yiufu24
O#popo[po[ppo[po#[o#o#o#[o#o#o#hilugiuiugi uoiuoi iouoiu;oiu;o9iu
O[popo[po[pou;oi
SecurityRequirements
Security Requirements of Systems
• Security requirements analysis and specification
![Page 148: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/148.jpg)
Security in Application Systems
• Input data validation• Control of internal processing• Message authentication• Output data validation
![Page 149: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/149.jpg)
.ӣ7ngtsua64dgsConfidential
Cryptographic Controls
• Policy on use of cryptographic controls• Encryption• Digital signatures• Non-repudiation services• Key management
![Page 150: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/150.jpg)
Security of System Files
• Control of operational software• Protection of system test data• Access control to program source
library
![Page 151: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/151.jpg)
Security in Development and Support Processes
• Change control procedures• Technical review of operating system changes• Restrictions on changes to software packages• Covert channels and Trojan code• Outsourced software development
![Page 152: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/152.jpg)
Information security incident management
ISO 27001 CONTROLS
Reporting information security events and weaknesses.
Management of information security incidents and improvements.
![Page 153: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/153.jpg)
Objective:To minimize the damage from security incidents and
malfunctions and to monitor and learn from such incidents
• Definition• Procedure
Reporting Security Incidents
![Page 154: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/154.jpg)
Responding to Security Incidents and Malfunctions• Reporting security incidents• Reporting security weaknesses• Reporting software malfunctions• Learning from incidents• Disciplinary process
![Page 155: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/155.jpg)
Business continuity management:
ISO 27001 CONTROLS
To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
![Page 156: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/156.jpg)
Objective –To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
• Key steps to business continuity
Business Continuity Management
![Page 157: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/157.jpg)
Aspects of Business Continuity Management
• Business continuity management process• Business continuity and impact analysis• Writing and implementing continuity plans• Business continuity planning framework• Testing, maintaining and re-assessing business
continuity plans
![Page 158: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/158.jpg)
Compliance:
ISO 27001 CONTROLS
Compliance with legal requirements.Compliance with security policies and
standards, and technical compliance.Information systems audit considerations.
![Page 159: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/159.jpg)
Compliance with Legal Requirements• Identification of applicable legislation• Intellectual property rights (IPR)• Safeguarding of organizational records• Data protection and privacy of personnel information• Prevention of misuse of information
processing facilities• Regulation of cryptographic controls• Collection of evidence
![Page 160: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/160.jpg)
Objective -To avoid breaches of copyright through prevention of copying without owner’s consent. • Restrictions on copying• License agreements• Policy compliance• Contract requirements
Intellectual Property Rights
![Page 161: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/161.jpg)
Objective –Prevention of loss, destruction and falsification of important records.• Retention• Storage• Disposal
Safeguarding of Organizational Records
![Page 162: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/162.jpg)
Objective –Compliance with Data Protection Legislation in those countries where applicable.
Data Protection and Privacy of Personal Information
![Page 163: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/163.jpg)
Prevention of Misuse of InformationProcessing Facilities
• Use of e-mail and the world wide web
• Use of system and information for private work
• Loading up personal software
![Page 164: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/164.jpg)
Regulation of Cryptographic Controls
• Consideration of national and international laws
• Business case to define their use
• Good key management controls required
![Page 165: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/165.jpg)
Evidence
• Legal requirements, software, data protection
• Operator/user logs• Security reviews• Housekeeping
![Page 166: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/166.jpg)
Reviews of Security Policy and Technical Compliance
• Compliance with security policy• Technical compliance checking
![Page 167: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/167.jpg)
System Audit Considerations
• System audit controls• Protection of system audit tools
![Page 168: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/168.jpg)
Note‘Not all the controls described
will be relevant to every situation, nor can they take account of local
environmental or technological constraints, or be present in a form that suits every potential
user in an organization’
![Page 169: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/169.jpg)
Assessment and Certification
• The Process
• Maintenance
![Page 170: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/170.jpg)
Pre-assessment (optional)
Documentation Audit
Implementation Audit
Continuing Assessment
3-Year Re-assessment
Pre-certification
Post-certification
Assessment Stages
![Page 171: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/171.jpg)
• Opportunity to identify and fix weaknesses• Senior Management take ownership of
information Security• Provides confidence to trading partners and
customers• Focused staff responsibilities• Independent review of your information
Security Management System
CERTIFICATION BENEFITS
![Page 172: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/172.jpg)
2Thailand7Sweden
2Slovak Republic8Switzerland
1882Total2Philippines8Austria
1Turkey2Malaysia11Singapore
1South Africa2Isle of Man11Norway
1Slovenia2Denmark11Ireland
1Russian Federation2Croatia14Hungary
1Romania2Canada15Finland
1Qatar2Belgium17Australia
1Morocco3UAE18Hong Kong
1Macedonia3Saudi Arabia18China
1Macau3Mexico22Netherlands
1Luxemburg3Kuwait26USA
1Lithuania3Argentina 35Korea
1Lebanon4Iceland40Italy
1France4Greece48Germany
1Egypt4Brazil64Taiwan
1Colombia5Spain 131India
1Chile5Poland215UK
1Bahrain6Czech Republic1080*Japan
GLOBAL REGISTRATIONS
![Page 173: ISO 27001 Information Security Management Systems](https://reader031.vdocuments.site/reader031/viewer/2022012007/61d96b47c1719c45621a0189/html5/thumbnails/173.jpg)
Any Questions?
Thank you for your participation
Front Defense FZ LLC
Dubai Internet City
Tel: +971-4-367 6767, Fax: +971-4-368 8072
P.O Box 500419, Dubai - UAE
Email: [email protected]