© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security...
-
Upload
clifton-shepherd -
Category
Documents
-
view
214 -
download
0
Transcript of © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security...
![Page 1: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/1.jpg)
© 2013 Cambridge Technical Communicators Slide 1
ISO/IEC 27001
Standard for Information Security Management
Systems
![Page 2: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/2.jpg)
© 2013 Cambridge Technical Communicators Slide 2
Information Security Requirements
• ISO 27001 specifications• ISO 27002 code of practise
• Download from BSI website: http://17799.standardsdirect.org
• Information Security Forum (ISF) publish the 2007 Standard of Good Practise (SoGP)
![Page 3: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/3.jpg)
© 2013 Cambridge Technical Communicators Slide 3
Process
• A) Identify information security risks: threats, vulnerabilities and impacts
• B) Design/implement information security controls: risk management - risk avoidance/risk transfer
• C) Maintain security policy/adopt management process
![Page 4: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/4.jpg)
© 2013 Cambridge Technical Communicators Slide 4
ISMS
• Information Security Management System
• Broad set of general and IT-specific policies and controls that span the organisation
• Include IT, HR, management, business continuity, incident management and other business functions/areas:
![Page 5: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/5.jpg)
© 2013 Cambridge Technical Communicators Slide 5
Examples
• Teleworking/home working: access to data
• Training staff: on information security issues and procedures
• Recruitment: security checks,
• Data retention policies: how long, where stored, how backups are made, who can assess
• Staff roles: security permissions, access to sensitive information
• Access to data by third parties and suppliers
![Page 6: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/6.jpg)
© 2013 Cambridge Technical Communicators Slide 6
Certification process
• Stage 1 - informal review of security documentation
• Stage 2 - formal and detailed compliance audit
• Stage 3 - Follow-up reviews and audits
![Page 7: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/7.jpg)
© 2013 Cambridge Technical Communicators Slide 7
Security Documents
• Security policy document
• Statement of Applicability (SoA)
• Risk Treatment Plan (RTP)
• Not all requirements in ISO 27001 are mandatory. You
can also define the scope to be covered by the security
policy
![Page 8: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/8.jpg)
© 2013 Cambridge Technical Communicators Slide 8
Mandatory requirements
• Define scope • Define ISMS policy• Define roles and responsibilities • Define the risk assessment approach &
criteria for accepting risk • Define a level of acceptability of risk • List assets & define owners• Identify threats, vulnerabilities, impact,
likely-hood and risk for each asset
![Page 9: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/9.jpg)
© 2013 Cambridge Technical Communicators Slide 9
Mandatory requirements
• Estimate levels of risk and define if risks are acceptable or not
• Define risk options (accept, transfer, avoid or reduce) for risks that are not acceptable
• List controls to implement • Manage lifecycle of documentation • Obtain management approval of residual;
risks and for implementation plan • Manage resources
![Page 10: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/10.jpg)
© 2013 Cambridge Technical Communicators Slide 10
Mandatory requirements
• Manage communications • Implement controls • Implement metric for each control • Monitor performance of the
controls • Review effectiveness of the
controls • Corrective actions • Preventive actions • Internal audits
• Management reviews • Write statement of
applicability
![Page 11: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/11.jpg)
© 2013 Cambridge Technical Communicators Slide 11
ISMS Project Plan
• Identify documents and procedures required by ISO 27001;
Locate templates and forms
• List activities to implement security plan:
define scope; gap analysis, asset identification, risk assessment, SOA, policies, business continuity, internal audit
![Page 12: © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649e9d5503460f94b9f052/html5/thumbnails/12.jpg)
© 2013 Cambridge Technical Communicators Slide 12
Thank you
We appreciate your interest in CTC
Tel: +44 0870 803 2095Email: [email protected]
Web: www.technical-communicators.com