presentation on iso/iec 27001:2013 - kattikatti.co.ke/images/presentations/isms-top-mgt.pdfiso/iec...
TRANSCRIPT
![Page 1: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/1.jpg)
Presentation on ISO/IEC 27001:2013
Information Security Management Systems (ISMS)by John Njiri
![Page 2: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/2.jpg)
IMPLEMENTATION OF INFORMTION SECURITY
MANAGEMENT SYSTEMS (ISMS)
BASED ON ISO 27000 STANDARDS
TOP MANAGEMENT BRIEFING
![Page 3: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/3.jpg)
Introduce delegates to the concept of Information Security,
Information Security Management Standards
Understand Information Security as a PC requirement
Delegates to understand requirements of Clause 5 of ISO/IEC
27001:2013 standard and how to implement them in the
organization
Give an overview of steps to certification
Learning Objectives
![Page 4: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/4.jpg)
Information Security and
Information Security
Management
![Page 5: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/5.jpg)
What is Information Security?
• Information Security is the preservation of
Confidentiality, Integrity and Availability of
information.
• In addition, other properties such as authenticity,
accountability, non-repudiation and reliability
should also be involved.
![Page 6: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/6.jpg)
Why Information Security?
• The main aims include:-
To ensure Business Continuity
To minimize business damage by preventing and
minimizing the impact of security incidents
![Page 7: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/7.jpg)
C.I.AThree basic components:
• C — Confidentiality
The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
• I — Integrity
The property of safeguarding the accuracy and completeness of assets
• A — Availability
The property of being accessible and usable upon demand by an authorized entity
In some organizations integrity and/or availability may be more important than confidentiality.
![Page 8: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/8.jpg)
What is ISMS?
• That part of the overall management system,
based on a business risk approach, to establish,
implement, operate, monitor, review, maintain and
improve information security.
• A management process.
• Not a technological process.
![Page 9: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/9.jpg)
ISO/IEC 27001:2013
Information Technology-Security Techniques –
Information Security Management Systems –
Requirements
Provides specific requirements;
• For establishing, implementing, maintaining and continually
improving a documented ISMS designed to.
• For the assessment and treatment of information security risks
tailored to the needs of the organization.
It is the only standard in the family used for certification
![Page 10: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/10.jpg)
Types of Information
Internal• Information that you would not want your
competitors/ clients to know
Customer/client• Information that they would not wish you to
divulge
Shared• Information that may be shared with other trading
partners/ persons
![Page 11: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/11.jpg)
In information security, computer security and
network security an Asset is any data, device, or
other component of the environment that supports
information - related activities
Information Assets
![Page 12: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/12.jpg)
Asset Examples
• Information assets – databases & data files,system documentation, user manuals, trainingmaterials, operational or support procedures,continuity plans, fall back arrangements.
• paper documents – contracts, guidelines,company documentation, documents containingimportant business results.
![Page 13: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/13.jpg)
Asset Examples Cont…
• Software assets – application software,system software, development tools, utilities
• Physical assets – computer andcommunication equipment, magnetic media(tapes & discs), furniture (Cabinets, Safes,Desks & Drawers), etc.
![Page 14: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/14.jpg)
Asset Examples Cont…
• People – personnel (full-time, part-time),customers, subscribers, suppliers.
• Company image and reputation.
• Services – computing and communicatingservices, other technical services (heating,lighting, power, air conditioning).
![Page 15: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/15.jpg)
Asset Inventory
Inventory is drawn up of major assets
Containing all major assets in ISMS
Location
Owner
(A.7.1.1)
![Page 16: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/16.jpg)
Examples of information
• Commercial details (strategies, finances, business performance)
• Bids for contracts, market research reports
• Designs, patents, technical research, plans
• Passwords
• Personal details (health, credit rating, personal history, etc.)
• Names, addresses, phone numbers
![Page 17: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/17.jpg)
Information lifecycle
Information may need protection through its entire lifecycle including deletion or disposal
Create
Store
Distribute (to authorized persons)
Modify (by authorized persons)
Archive
Delete (electronic) or Dispose (paper, disks etc.)
![Page 18: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/18.jpg)
Risks, Threats & Vulnerabilities
Note: In Risk management, the Information Asset is what we are trying to protect.
Threat – A potential cause of an incident, that may result in harm of systems and organization. (What we are trying to protect against)
Vulnerability – a weakness of an asset (resource) or a group of assets that can be exploited by one or more threats. (The weakness or gap in our protection efforts)
Risk – effect of uncertainty on objectives. (Intersection of assets, threats & vulnerabilities)
![Page 19: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/19.jpg)
Information Security Threats
Threat – A potential cause of an incident, that may result in harm of systems and organization.
Threats can be classified according to their type and origin;
1)Origin: Deliberate, Accidental, or Environmental.
2)Type: Physical, natural events, loss of essential services, compromise of information, technical failure, compromise of functions.
3)Human: Internal, External.
![Page 20: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/20.jpg)
Threats Classification - Origin
Deliberate: aiming at information asset
spying
illegal processing of data
Intrusion of Systems
Masquerade
Accidental
equipment failure
software failure
loss of power supply
Environmental
natural event (Earthquake, fire, floods)
![Page 21: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/21.jpg)
Threats Classification - Type
Physical damage
fire
water
pollution
natural events
climatic
Seismic
Volcanic
loss of essential services
electrical power
air conditioning
Telecommunication
technical failures
equipment
software
capacity saturation
![Page 22: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/22.jpg)
Threats Classification – Type Cont…
compromise of information
eavesdropping,
theft of media
retrieval of discarded materials
compromise of functions
error in use
Intrusion of Systems
abuse of rights
denial of actions
Masquerade
![Page 23: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/23.jpg)
Threats Classification - Human
Internal
Angry Employees
Dishonest Employees
Criminals
External
Governments
Terrorists
The Press
Hackers
Competitors
![Page 24: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/24.jpg)
Information Security Vulnerability
Vulnerability – a weakness of an asset (resource) or a group of assets that can be exploited by one or more threats
Examples:
Weak/ Broken Processes,
Ineffective Controls,
Weak Passwords,
Software bugs,
Hardware Flaws,
Business Change,
Human Ignorance.
![Page 25: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/25.jpg)
Risks, Threats & Vulnerabilities
RISK is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets.
Threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk.
Similarly, you can have a vulnerability, but if you have nothreat, then you have little/no risk.
Accurately assessing threats and identifying vulnerabilities is critical to understanding the risk to assets.
![Page 26: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/26.jpg)
Risks, Threats & Vulnerabilities
RISK = Asset x Threat x Vulnerability
Example: In a system that allows weak passwords,
– Vulnerability – Weak Password is vulnerable to attacks or Hacking
– Threat - An intruder can exploit the password weakness to break into the system
– Risk - The resources within the system are prone to illegal access/ modification/ damage by the intruder.
![Page 27: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/27.jpg)
Information Security Risks
Examples of Information Security Risks:-
Loss of Information
Information theft
Corruption of information/ Data
Unauthorized access to information (Hacking, Whiteboards/ flipcharts)
Denial of service
Telephone conversations overheard
Conversations overheard on public transport
Access to Confidential information due to Social engineering
![Page 28: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/28.jpg)
11/10/2018 www.borasoft.co.ke 28
ISMS as a PC
Requirement
![Page 29: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/29.jpg)
Safety and Security Measures Indicator• Implement the Information Security Management System (ISMS),
Step 1 (5%)• Appoint ISMS leader –1%• Appoint and train ISMS champions -2%• Define scope -2%
Step 2 (5%)• Brief top management on ISMS • Train implementers – (process owners) – 2%• Conduct awareness training for all employees – 2%
Step 3 (30%)
• Create ISMS Risk Management (Risk Registers and Risk Management Action Plan – 10%
• Finalize documentation of ISMS i.e. policy procedures and launch the ISMS based on the standard (ISO/IEC) – 20%
• Establish information assets and secure them.(40%)
11/10/2018 www.borasoft.co.ke 29
![Page 30: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/30.jpg)
REQUIREMENTS OF
ISO/ IEC 27001:2013 CLAUSE 5
![Page 31: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/31.jpg)
Clauses within ISO 27001:2013
Clause 0: Introduction
Clause 1: Scope
Clause 2: Normative References
Clause 3: Terms and Definitions
Clause 4: Context of the Organization
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation
Clause 10: Improvement
Annex A: Control objectives and Controls
Bibliography
![Page 32: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/32.jpg)
PDCA Model applied to ISMS processes
Information Security Management System (4)
Support & Operation
(7,8)
Performance evaluation
(9)
Improvement(10)
Leadership(5)
Planning(6)
Plan Do
ActCheck
Results ofthe ISMS
Risk Treatment
Plan
Risk Assessm
entNeeds and expectations of relevant interested parties(4)
Organizationand its context
(4)
PDCA structure of ISO 27001
![Page 33: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/33.jpg)
Clause 5: Leadership
5.1 Leadership and commitment
• Top Managers are required to:-
ensure that ISMS policy and ISMS objectives are
established & are compatible to Company Strategy,
ensure integration of ISMS requirements into
processes,
Ensure the resources required are available (Clause 7)
![Page 34: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/34.jpg)
Clause 5: Leadership
5.1 Leadership and commitment
• Top Managers are required to:-
communicating importance of effective information
security management and of conforming requirements,
ensure that ISMS achieves intended outcome,
Promote continual improvement of the ISMS (Clause
10.2).
![Page 35: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/35.jpg)
Clause 5: Leadership
5.1 Leadership and commitment
• Top Managers are required to:-
motivate and empower employees,
direct and supporting persons to contribute to the
effectiveness of the information security management
system, and
support other relevant management roles to demonstrate
their leadership as it applies to their areas of
responsibility.
![Page 36: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/36.jpg)
Clause 5: Leadership
5.2 Policy
• It is Top Management’s documented commitment to
satisfy applicable requirements related to IS,
• Should be periodically reviewed and revised to reflect
changing conditions and information,
• Must be available to interested parties,
• All employees must be acquainted to the policy,
![Page 37: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/37.jpg)
Clause 5: Leadership
5.2 Documentation requirements of the policy
The policy must:-
• be appropriate to the purpose of the organization;
• include information security objectives or provides a framework
for setting IS objectives;
• include a commitment to satisfy applicable requirements related
to IS; and
• include a commitment to continual improvement of the ISMS.
![Page 38: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/38.jpg)
Clause 5: Leadership
5.3 Organizational roles, responsibilities and
authorities
Top management shall ensure that the responsibilities
and authorities for roles relevant to information
security are assigned and communicated.
![Page 39: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/39.jpg)
5.3 Organizational roles, responsibilities and authorities
There is need to define the roles, responsibilities and authorities for:-
a) Top Management,
b) ISMS Manager,
c) ISMS Implementation Team,
d) ISMS Internal Auditors
e) Process Owners, and
f) Members of Staff.
Clause 5: Leadership
![Page 40: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/40.jpg)
5.3 Organizational roles, responsibilities and authorities
a)Top Management
1. Development & review of ISMS policy,
2. Establishment, communication and monitoring of Information Security objectives,
3. Review, consider and approve information security policies and procedures,
4. Review, consider and approve the results of risk assessment,
5. Ensure availability of Resources for the ISMS.
Clause 5: Leadership
![Page 41: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/41.jpg)
5.3 Organizational roles, responsibilities and authorities
b) ISMS Manager
1. Coordination and implementation of the ISMS policy and the supporting ISMS framework,
2. Maintaining the ISMS and ensuring its on-going conformity to ISO/IEC 27001
3. Supporting HODs & the ISMS implementation team by providing advice and guidance on all aspects of information security
4. Organizing and Managing internal ISMS Audits, & Reporting on the performance of the ISMS to the Managing Director.,
5. Planning and chairing ISMS Implementation team meetings.
Clause 5: Leadership
![Page 42: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/42.jpg)
5.3 Organizational roles, responsibilities and authorities
c) Heads of Departments/ Process Owners
1. preservation of the confidentiality, integrity, and availability of information and information assets,
2. Conducting or facilitating of risk assessment and implementing risk treatments,
3. Noting and reporting information security weaknesses, information security events and identifying improvement opportunities;
Clause 5: Leadership
![Page 43: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/43.jpg)
5.3 Organizational roles, responsibilities and authorities
c) Heads of Departments/ Process Owners (Cont…)
4. Responding to nonconformities by determining and implementing corrective actions;
5. Ensuring persons under their area of control are aware of the ISMS policy, their contribution to the effectiveness of the ISMS and the implications of not conforming to ISMS requirements.
Clause 5: Leadership
![Page 44: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/44.jpg)
9 Performance evaluation
9.3 Management review
Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
![Page 45: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/45.jpg)
STEPS TO CERTIFICATION
&
BENEFITS OF IMPLEMENTATION
![Page 46: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/46.jpg)
Key Steps to Certification
1. Management Commitment/ Appoint ISMS Manager
2. Awareness Creation (Top, Implementers, Staff)
3. Define ISMS Scope and Policy
4. Document the ISMS (Policies, Procedures, etc.)
5. Undertake Risk Assessment &Treatment
6. Monitor Treatment Processes
7. Undertake internal Audits & Management Review
8. Undertake Pre-certification Audit
9. Certification Audits & corrective actions
10.Maintain Certification
![Page 47: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/47.jpg)
Certification Assessment
Pre-assessment (optional)
Stage 1 — Documentation audit
Stage 2 — Implementation audit
Continuing surveillance
3-Year reassessment
![Page 48: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/48.jpg)
Key Benefits of implementing ISO 27001
1. Compliance
Helps an organization comply to various regulationsregarding data protection, privacy and IT or otherinformation security governance.
2. Lowering the expenses
Financial gain if you lower your expenses caused byincidents, less interruption in service, or occasionaldata leakage, or disgruntled employees.
![Page 49: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/49.jpg)
Key Benefits of implementing ISO 27001
3. Marketing edge
ISO/ IEC 27001 could be a unique selling point,especially if you handle clients’ sensitiveinformation.
4. Awareness
Greater Information security awareness within the organization
![Page 50: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/50.jpg)
50
THANK YOU
Q&A
![Page 51: Presentation on ISO/IEC 27001:2013 - KATTIkatti.co.ke/images/PRESENTATIONS/ISMS-Top-Mgt.pdfISO/IEC 27001:2013 Information Technology-Security Techniques – Information Security Management](https://reader030.vdocuments.site/reader030/viewer/2022040605/5ea90015ca067c494c28ccc7/html5/thumbnails/51.jpg)
51
Muthaiga Suites, Opp. Oil Libya Plaza, Off Thika Super Highway
P.O. Box: 23158 - 00100 Nairobi, Kenya
Tel: +254 (0) 20 2629783/4, 722 507 360, 702 555 222
Email: [email protected], [email protected]
Website: www.borasoft.co.ke