ISO 27001:2005A brief Introduction

Information

“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.”

–Printed or written on paper

–Stored electronically

–Transmitted by mail or electronic means

–Spoken in conversations

What is Information Security

ISO 27001 defines this as the preservation of:

Achieving Information Security

What is ISO27001?

– An internationally recognized structured methodology dedicated to information security

–A management process to evaluate, implement and maintain an Information Security Management System (ISMS)

–A comprehensive set of controls comprised of best practices in information security

–Applicable to all industry sectors

–Emphasis on prevention

Holistic Approach

–ISO 27001 defines best practices for information security management

–A management system should balance physical, technical, procedural, and personnel security

–Without a formal Information Security Management System, such as a BS 7799-2 based system, there is a greater risk to your security being breached

–Information security is a a management process, not

a technological process

ISO 27001 :2005 PDCA Structure

ISO 27001:2005 Structure

Five Mandatory requirements of the standard:

–Information Security Management System• General requirements

• Establishing and managing the ISMS (e.g. Risk Assessment)

• Documentation Requirements

– Management Responsibility

• Management Commitment

• Resource Management (e.g. Training, Awareness)

– Internal ISMS Audits

– Management Review of the ISMS

• Review Input (e.g. Audits, Measurement, Recommendations)

• Review Output (e.g. Update Risk Treatment Plan, New Recourses)

–ISMS Improvement

• Continual Improvement

• Corrective Action• Preventive Action

11 Domains of Information Management

Implementation Process

ISMS Documentation

Documentation Requirement

The ISMS documentation shall include:

a) documented statements of the ISMS policy and objectives

b) the scope of the ISMS

c) procedures and controls in support of the ISMS

d) a description of the risk assessment methodology

e) the risk assessment report

f) the risk treatment plan

g) documented procedures needed by the organization to ensure the effective

planning, operation and control of its information security processes and

describe how to measure the effectiveness of controls

h) records required by this International Standard

i) the Statement of Applicability.

Comparison Between ISO 9001 & ISO 27001

ISO 9001

• Quality Policy & Objectives• Quality Manual• 6 Mandatory Procedures• Departmental Manual• Procedures, Work Instructions,

Guidelines• Formats, Checklist

ISO 27001

• ISMS Manual• Control Manual• 5 Mandatory Procedures• Other Work Instructions, Procedures,

Guidelines required • Formats, Checklist Required• ISMS policy & objectives• a description of the risk assessment

methodology• the risk assessment report • the risk treatment plan • the Statement of Applicability• legal & contractual requirement • points considered in the management review

input include vulnerabilities or threats not adequately addressed in the previous risk assessment;

• results from effectiveness measurements;

Thank You