#113 – Building an ISMS based on ISO/IEC 27001 an ISMS based on ISO/IEC 27001 & ISO/IEC 17799...
Transcript of #113 – Building an ISMS based on ISO/IEC 27001 an ISMS based on ISO/IEC 27001 & ISO/IEC 17799...
“I will work in
concert with
my peers.”
#113 – Building an ISMSbased on ISO/IEC 27001
Peter R. Bitterli, CISAhttp://[email protected]
Please observe the copyright: You are allowed to use and
further distribute this presentation only with this copyright
notice attached. If you use parts of this documentation in
presentations or other diagrams you have to refer to the source.
Any commercial use of this presentation is only allowed with
written consent of the author.
© 19.3.2007
© Peter R. Bitterli, Slide 2
AbstractBuilding an ISMS based on ISO/IEC 27001 & ISO/IEC 17799
Almost every IT security professional has heard or read about BS7799-2 and/or
ISO 17799. Many have used the ISO 17799 to their advantage for designing,
implementing or even auditing information security – some have used it for writing
security policies and others actually for performing risk analysis. BS7799-2 (now
ISO 27001), however, is less known and its contents are often misunderstood.
ISO 27001 clearly defines how an Information Security Management System
(ISMS) should look like, describing actually the major security management
processes any company should have in place. This session explains the differences
between the “twin standards” ISO 27001 and ISO 17799, concentrating mostly on
the ISMS. It clearly shows how existing security organizations and security
management processes fit in such an ISMS and what steps your company should
take if you want to professionalize your information security management up to the
point where you could get certified. The session also shows many pitfalls that
companies might fall in, based on the speaker’s experience both in his capacity as
an official expert supervising the accredited certification bodies and as an IT
auditor and security consultant.
© Peter R. Bitterli, Slide 3
Learning ObjectivesThe participants will learn about …
1. what an effective ISMS according ISO/IEC 27001 isand what mandatory elements it consists of.
2. what the main differences are between the “twinstandards” ISO/IEC 27001 and ISO/IEC 17799
3. how to improve the existing security processes to acertifiable ISMS
4. why this makes sense even if your company doesn’twant to become ISO/IEC 27001 certified
5. main lessons the speaker learned by looking atcertified and uncertified ISMS of several companies
© Peter R. Bitterli, Slide 4
ContentOverview
Typical unresolved security problems
From CoP to BS7799-2 to ISO 17799/27001Introduction to
ISO/IEC 27001 (elements of an ISMS)ISO/IEC 17799 (the controls)
Certification based on ISO/IEC 27001
Step by step approach to change your ISMSMajor benefits of improving your ISMSPitfalls to avoid
© Peter R. Bitterli, Slide 5
IntroductionPart 1
Typical unresolvedinformation securityproblems
– i.e. ISMS weaknesses
© Peter R. Bitterli, Slide 6
Typical ISMS Weaknesses
Problematic areasParallel internal control systems
Ineffective security organizationContradictory directives & policies
Outsourcing out of control
Ineffective IT risk management
Inadequate awareness
Poor physical security
Unresolved business continuity issues
© Peter R. Bitterli, Slide 7
Parallel Control SystemsIneffective systems of internal control
Many, partially parallelsystems of internalcontrols
Traditional system ofinternal controlsSecurityLegal / ComplianceData ProtectionOperational RiskManagementQuality AssuranceSafety…
Leads to:Obvious and hiddeninconsistenciesInefficient processesMembers of staff
are weary of controls
will circumvent controls
might commit passive oractive sabotage of ICS
Flood of policies…
© Peter R. Bitterli, Slide 8
Security OrganizationsCemented structures with high frictional loss
Many independent partiesmaintain that they are“the only one” to take careof security
Physical SecurityIT SecurityData ProtectionProduct Security(Validation)
Unfavorable reportinglines
Individual kingdoms
Leads to unclearresponsibilities, authoritiesand accountabilities:
Ambiguous responsibilities(> security gaps)Overlapping authorities(> inconsistencies, > gaps)Tasks might not be fulfilled(> gaps)Wastages (> no efficiency)Trouble with staff…
© Peter R. Bitterli, Slide 9
Directives and PoliciesConflicting directives and wrong use of them
Historically growndirectives & policies:
Not up to datePoor/contradictorydefinitionsUnclear verbalizationsToo much or too little isregulatedNot known to members ofstaff“Americanization” ofmanagement’s behaviour
Leads to:Flood of policies or veryselective policiesEmployee deviance:
Impossible to comply
Might negate or circumventexisting policies on purpose
Might commit passive oractive sabotage
Disengagement ofmanagement’s expectationsfrom reality…
© Peter R. Bitterli, Slide 10
Outsourcing (Multi-Sourcing)Unjustifiable trust and critical dependencies
(Still) increasingoutsourcing
NetworkERP packagesHousing/operating provider“Office” provider
Blind trust in outsourcingpartner
No provider auditsReliance on certificationsand attestationsUse of too small companies
Leads to:Absolute dependency onproviderGovernance problems
Strategic alignment
Efficiency
Compliance problems…
© Peter R. Bitterli, Slide 11
IT Risk ManagementORM will not diminish need for IT risk management
Operational riskmanagement (ORM)often far from reality:
too superficialtoo detailedtoo theoreticaltoo inflexible approach(must follow software)
No link between ORMand IT risk management
No IT risk management
Leads to:Incomplete risk landscapesUnrecognized risks withhigh severityIneffective risk manage-ment, e.g. in the area of ITsecurity…
© Peter R. Bitterli, Slide 12
Security AwarenessMissing security awareness increases risks
No, superficial ordiscontinuous securityawareness
Management attitudethat (additional)awareness training is notnecessary
Management itself is thebiggest problem!
Leads to:Little understanding formeasures and directivesEvery employeeindividually decides howsecure he/she wants to beCareless treatment ofcritical information andsystemsInadequate support andbudget for security…
© Peter R. Bitterli, Slide 13
Physical SecurityEven data centres and banks are not always really secure
Unclear perimeterClients, meeting zones,internal offices
Risks in theneighborhood
restaurants, subterraneanparking, …
Cumulation of risks“all eggs in one basket”
Non-compliance to safetyregulations
Leads to:Access of unauthorizedpersons to inner officesLeads to a wrongimpression of visiting VIPsThreat to health and livesPossible loss of completesite…
© Peter R. Bitterli, Slide 14
Business ContinuityInsufficient and not proven measures
Critical businessprocesses are not known
No SLAsfor normal operationsfor emergencies
No willingness ofmanagement for
analysisdocumentationand reduction
of processes
Leads to:Missing awareness onmanagement levelFragmentary emergencyplanUntested sub plansIneffective measuresErratic updating of plans…
© Peter R. Bitterli, Slide 15
Typical IT Risk Landscape(Typical “generic” risks of a mid-sized company)
Damage potential (A)
Pro
bab
ility
(p
)
Edaily
Dfrequently
Clikely
Bunlikely
1low
2medium
3high
4very high
5critical
everyday
every10 days
every100 days
every1000 days
every10.000 daysA
very unlikely
26
14
1
11 7
12
15
45 13
8
10
3 9
1 Number of risk
1 Half-day power loss2 Failure of outsourcing
provider3 Loss of confidentiality of
customer data4 Malicious code5 Access management6 Telebanking (Phishing)7 Patch management8 Non-compliance with
rules9 Network interrupt10 Infringements11 Loss of key personnel12 Password handling13 Application of new
technologies14 Application dependent
controls15 Unsuited BCM/BCP16 Internal sabotage
16
© Peter R. Bitterli, Slide 16
What is the Solution?
Build an information securitymanagement system (ISMS)with:
security management processesaccording ISO/IEC 27001
security measures (i.e. controls)based on ISO/IEC 17799
Maybe: have it certified
© Peter R. Bitterli, Slide 17
Evolution of StandardsPart 2
History of the “Code ofPractice for InformationSecurity Management” andoverview of the ISO/IEC27000 Standards Family
© Peter R. Bitterli, Slide 18
ISO StandardISO 27001
10.2005
ISO StandardISO 27002
???
British StandardBS7799-2: 2005
2005
ISO StandardISO 17799: 2005
6.2005ISO StandardISO 17799: 2000
British StandardBS7799-2: 2002
9.2002
12.2000
British StandardBS7799-2: 1999
British StandardBS7799-1: 1999
1999
1999
DTI Code of Practice
Shell BaselineSecurity Controls
Shell Best Practices
1998
1995
British StandardBS7799-2: 1998
British StandardBS7799-1: 1995
SRI InternationalSurvey of Industry
SRI InternationalBaseline Controls
Best Practices of BT, Marks & Spencer,
Midland, BOC, Nationwide & Unilever
Evolution of Code of Practice(Code of Practice for Information Security Management)
© Peter R. Bitterli, Slide 19
27000Overview
& Vocabulary
27001ISMS
Requirements
27006AccreditationRequirements
Terminology
Requirements
Guideline
27002Code ofPractice
SupportPDCA
27003Implementation
Guidance
27004ISM
Measurements
27005Risk Management
27007 ?ISMS AuditGuidelines
-5 -4
-3 -2
-5 -4
13335-xICT
Security -3
15947IDS Framework
18043IDS
Management
18028-xNetwork
Security - 1
18044Incident
ManagementControlImplemen-
tation and others ...
published
ISO/IEC 27000 FamilyBuilding an Information Security Management System
to bepublished
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 20
© Peter R. Bitterli, Slide 21
Major contents of an ISMSPart 3
Brief explanation ofISO/IEC 27001
© Peter R. Bitterli, Slide 22
ScopeBuilding an effective Information Security Management System
ISO/IEC 27001 specifies the requirementsfor establishing, implementing, operating,monitoring, reviewing, maintaining andimproving a documented ISMS within thecontext of the organization’s overallbusiness risks.It specifies requirements for the implemen-tation of security controls customized to theneeds of individual organizations or partsthereof.
Source: ISO/IEC 27001 Chapter 1 Scope
© Peter R. Bitterli, Slide 23
ContentsISO/IEC 27001 (formally known as BS7799-2)
0 Introduction1 Scope2 Normative references3 Terms and definitions4 Information Security Management System5 Management responsibility6 Internal ISMS audits7 Management review of the ISMS8 ISMS improvement– Annexes
© Peter R. Bitterli, Slide 24
Establish theISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
S
PLAN
CHECK
DO ACT
ISMS – PDCA ModelBuilding an effective Information Security Management Systems
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 25
Establish theISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
SPLAN
CHECK
ACT
Accept residual risks
Select controls(from 17799)
Decide on risk treatment
Carry out risk assessment
Define ISMS scope &policy
DO
Establish the ISMSBuilding an effective Information Security Management System
Riskmanagement
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 26
Implementtraining/awareness
Define effectivenessmeasurement of controls
Manage operations &resources of the ISMS
Implement controls
Formulate & implementrisk treatment plan Establish the
ISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
SPLAN
CHECK
DO ACT
Implement and Operate ISMSBuilding an effective Information Security Management System
Riskmanagement
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 27
Conduct internal ISMS audits andmanagement reviews
Update security plan
Review risk assessments
Measure effectiveness ofcontrols
Regularly revieweffectiveness of ISMS
Execute monitoringprocedures
Establish theISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
SPLAN
CHECK
DO ACT
Monitor and Review ISMSBuilding an effective Information Security Management System
Riskmanagement
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 28
Ensure improvementsachieve objectives
Communicate results
Take corrective andpreventive actions
Implement improvementsEstablish the
ISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
SPLAN
CHECK
DO ACT
Maintain and Improve ISMSBuilding an effective Information Security Management System
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 29
Security ControlsPart 4
Brief explanation ofISO/IEC 17799 (willbecome ISO/IEC 27002)
© Peter R. Bitterli, Slide 30
ContentsISO/IEC 17799 (soon to become ISO/IEC 27002)
1 Scope 2 Terms and definitions 3 Structure of standards 4 Assessment and treatment of risks 5 Security policy 6 Organisation of information security 7 Asset management 8 Human resource security 9 Physical and environmental security10 Communications and operations management11 Access control12 Information systems acquisition, development and maintenance13 Information security incident management14 Business continuity management15 Compliance
General informationOrganizational issuesTechnical issues
© Peter R. Bitterli, Slide 31
Security PolicyISO/IEC 17799 (soon to become ISO/IEC 27002)
Term “information security”
Definition of objectives
Enterprise-specific security requirements
Responsibilities
Regular updates
Policy
Security concept(Baseline protection)
Guidelines
© Peter R. Bitterli, Slide 32
Organisation of SecurityISO/IEC 17799 (soon to become ISO/IEC 27002)
Security organisationSecurity committeeCoordination of all securityconcernsResponsibilitiesApproval of IT installationsSpecialist know-howThird party cooperationIndependent securityassessment
Security in third partycompanies
Identification of risksSecurity on the customer’ssiteSecurity requirements incontracts
© Peter R. Bitterli, Slide 33
Management of Inf. AssetsISO/IEC 17799 (soon to become ISO/IEC 27002)
ResponsibilitiesInventoryAssignment to“owners”Acceptable use policy
ClassificationClassification policyLabelling and handling
© Peter R. Bitterli, Slide 34
Human Resources SecurityISO/IEC 17799 (soon to become ISO/IEC 27002)
During employmentManagement responsibilitiesAwareness education andtrainingDisciplinary process
Change/termination ofemployment
Termination responsibilitiesReturn of assetsRemoval of access rights
Prior to employmentRolls and responsibilitiesBackground checksTerms and conditions ofemployment
© Peter R. Bitterli, Slide 35
Physical/Environmental SecurityISO/IEC 17799 (soon to become ISO/IEC 27002)
Secure areasSecurity perimeterEntry controlsSecuring offices, rooms andfacilitiesProtection against externaland environmental threatsWorking in secure areasDelivery and loading areas
Equipment securitySitePower supplyCablingMaintenanceOff-premises usageDisposalRemoval of property
© Peter R. Bitterli, Slide 36
Communication and OperationsISO/IEC 17799 (soon to become ISO/IEC 27002)
Operating procedures and responsibilitiesThird-party servicesPlanning and acceptance of systemsProtection against malicious codeBackupNetwork security managementMedia handlingExchange of information and softwareE-commerce servicesMonitoring
© Peter R. Bitterli, Slide 37
Access ControlISO/IEC 17799 (soon to become ISO/IEC 27002)
Business requirements for accesscontrol
Administration of access rights
User responsibilities
Network access control
Operating system access control
Application access control
Mobile computing / teleworking
© Peter R. Bitterli, Slide 38
Systems Acquisition,Development and MaintenanceISO/IEC 17799 (soon to become ISO/IEC 27002)
Definition of securityrequirements
Correct processing inapplications
Input, processing,authentication, output
Cryptographic controlsConceptEncryption
Security of system files
Security in developmentand support processes
Technical vulnerabilitymanagement
© Peter R. Bitterli, Slide 39
Incident ManagementISO/IEC 17799 (soon to become ISO/IEC 27002)
Reporting information security incidentsand weaknesses
Management of information securityincidents and improvements
© Peter R. Bitterli, Slide 40
Business ContinuityISO/IEC 17799 (soon to become ISO/IEC 27002)
Information security aspects in BCM
Business continuity and risk management
Development and implementation of businesscontinuity plans
Planning framework
Testing, maintaining and reassessing businesscontinuity plans
© Peter R. Bitterli, Slide 41
ComplianceISO/IEC 17799 (soon to become ISO/IEC 27002)
Compliance with legalrequirements
Applicable lawIntellectual propertyrightsRecordsData protection /privacyPrevention of misuseRegulation ofcryptographic controls
Compliance withpolicies and standards
PoliciesCompliance withtechnical standards
Systems auditAudit procedureProtection of tools
© Peter R. Bitterli, Slide 42
Organizationalissues
Technicalissues
5. Securitypolicy
6. Organization ofinformation security
7. Assetmanagement
11. Accesscontrol
8. Human resourcessecurity
9. Physical andenvironmental security
12. Systems acquisition,development and
maintenance
10. Communicationsand operationsmanagement
14. Businesscontinuity
management
15. Compliance
based on: Callio
Grouping of Main ChaptersISO/IEC 17799 (soon to become ISO/IEC 27002)
13.Information securityincident management
© Peter R. Bitterli, Slide 43
Accreditation & CertificationPart 5
Brief explanation ofaccreditation andcertification processes basedon ISO/IEC 27001 andISO/IEC 27006 (draft)
© Peter R. Bitterli, Slide 44
Terms (I)Used in the context of accreditation & certification
Complianceis a self-assessment carried out by theorganization in order to verify whether a systemthat has been implemented complies with astandard.
Certification (Registration)is conferred by an accredited certification bodywhen an organization successfully completes anindependent audit, thus certifying that themanagement system meets the requirements of aspecific standard, e.g. ISO/IEC 27001.
© Peter R. Bitterli, Slide 45
Terms (II)Used in the context of accreditation & certification
RemarkA company may comply with ISO/IEC 17799, butcertification is only possible with ISO/IEC 27001.
Accreditationconsists of the means by which an authorizedorganization (the accreditation body) officiallyrecognizes the authority of a certification body toevaluate, certify and register an organization’sISMS with regard to published standards.
© Peter R. Bitterli, Slide 46
AccreditationBody (AB)
Overview over TermsAccreditation and certification
AccreditationBody (AB)
CertifiedCompany
CertifiedCompany
CertifiedCompany
CertificationBody (CB)
CertifiedCompany
CertifiedCompany
accreditscertifies
certifies
certifies
certifies
certifies
CertifiedCompany
certifies
CertifiedCompany
certifies
CertifiedCompany
certifies
CertifiedCompany
cert
ifies
CertifiedCompany
certifi
es
AccreditationBody (AB)
http://www.european-accreditation.orgwww.iaf.nu
accredits
CertificationBody (CB)
http://www.xisec.com
© Peter R. Bitterli, Slide 47
ScopingOnly the “area” within the defined scope will be certified
Source: www.ceem.com
© Peter R. Bitterli, Slide 48
CertificatesExamples
ISO 9001
ISO 14001ISO 27001 (originally: BS 7799-2 ISMS)
BS 15000 / ISO 20000…
BSI: British Standard InstituteISO: International Organization for StandardizationIEC: International Electrotechnical OrganizationISO/IEC JTC1: Joint Technical Committee
© Peter R. Bitterli, Slide 49
Aktuelle Zertifizierungen CH
Source: www.iso27001certificates.comDownload on 2.2.2007
© Peter R. Bitterli, Slide 50
Certification Audit (I)Audit process of accredited certifier
Stage 1
Review of ISMSDocumentation
ScopeISMS PolicyRisk reportRisk treatmentStatement ofApplicabilityCore elements of ISMS
Stage 2
Visit to the company
Review of complianceSecurity policiesSecurity objectivesProceduresISMS
conform to ISO 27001
achieves securityobjectives (as inISO 17799)
© Peter R. Bitterli, Slide 51
Certification Audit (II)Audit process of accredited certifier
Results of stage 2Nonconformities
majorminor
Observations
ReportAudit team reports to CB
Company comments and specifies improvements
CB confirms corrections
© Peter R. Bitterli, Slide 52
Surveillance Audit… of certification body (CB)
Periodic
Often enoughNon-conformities must be corrected withinagreed time span
If not: reduction, suspension or recall ofcertification
© Peter R. Bitterli, Slide 53
Internal AuditInternal ISMS audit by the certified company itself
In planned intervals
Review, whether ISMS …complies to ISO 27001 requirementscomplies with relevant laws and regulations
has been implement in an effective way
is being maintained
does what is expected
© Peter R. Bitterli, Slide 54
Re-CertificationRe-assessment by the original certification body (CB)
Normally every three years
Purpose to verify the continuing compliance toISO 27001 requirementsIn general this comprises:
Verification that approved ISMS is stillimplemented
Review of all changes to the ISMS
Confirmation of compliance to ISO 27001,ISO 17799Internal maintenance (audit, security review,management review, preventive/corrective actions)
© Peter R. Bitterli, Slide 55
Accreditation of CBThe auditor is audited too
Certified company
AccreditationBody (AB)
accredits
CertificationBody (CB)
certifies
Requirements:
ISO Guide 62 (and EN 45012):general Requirements/criteriafor Accreditation: applicable forISO 9001, ISO 14001, BS7799-2
EA 7/03 states more preciselyGuide 62 in relation to ISMSaudits (will become ISO 27006)
ISO 19001: Criteria for auditors’competence
…
© Peter R. Bitterli, Slide 56
© Peter R. Bitterli, Slide 57
Implementing an ISMSPart 6
Step by step approach tochange your existing non-formal ISMS to a ISO/IEC27001-like ISMS that couldbe formally certified
© Peter R. Bitterli, Slide 58
PLAN
CHECK
DO ACT
Our ISMS ApproachIn 30 steps twice around the PDCA circle to gain momentum
Establish theISMS (phase I)
Im
plem
ent a
ndop
erat
e th
e IS
MS
(pha
se I
)
Monitor andreview the ISMS
(phase I)
Maintain and
improve the ISM
S(phase I)
Establish theISMS (phase II)
Im
plem
ent a
ndop
erat
e th
e IS
MS
(pha
se I
I)
Monitor andreview the ISMS
(phase II)
Maintain and
improve the ISM
S(phase II)
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 59
Goal of an ISMS
An Information Security ManagementSystem is designed to ensure the selection ofadequate and proportionate securitycontrols that protect information assets andgive confidence to interested parties.
Source: ISO/IEC 27001 Chapter 1 Scope
© Peter R. Bitterli, Slide 60
Establish theISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
SPLAN
CHECK
ACT
Accept residual risks
Select controls(from 17799)
Decide on risk treatment
Carry out risk assessment
Define ISMS scope &policy
DO
Establish the ISMSBuilding an effective Information Security Management System
Riskmanagement
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 61
Define the Scope“Easy” steps to implement an ISMS: Step 1
Even if you don’t aim for certification, youshould define the scope of your ISMS. Startslowly and enlarge your scope as youprogress in maturity, e.g start with:
IT
headquarters
those departments with high business risks
highly regulated areas of your company
But first: define responsibilities, authorities& accountabilities
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 62
Define High-level Policy“Easy” steps to implement an ISMS: Step 2
Define a overall ISMS policy that …includes a framework for setting objectives andestablishes an overall sense of direction andprinciples for information security
takes into account business and legal orregulatory requirements and contractualsecurity obligations
aligns with the organization’s strategic riskmanagement
has been approved by management
Source: ISO/IEC 27001 Chapter 4.2.1 Establish the ISMS
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 63
Define Areas of Applicability“Easy” steps to implement an ISMS: Step 3
Not all 133 controls need to be implementedas they are not all relevant and applicable
Therefore: put together a list of thosecontrols …
that cover:legal and regulatory requirementscontractual obligationsorganization’s business requirements
or are necessary because of the risk assessmentand risk treatment process (steps 4a – 4c)
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 64
Maturity & Risk Assessment“Easy” steps to implement an ISMS: Step 4a
Perform a controls self assessment (CSA)in combination with a “quick & dirty”risk assessment:
Go through all of the 133 controls
Rate the “maturity level” of these controls
Rate the severity if an incident would happenthat is (should be) covered by the respectivecontrol
Remark: The purpose of the shown “quick & dirty” risk assessment approach is toget the whole ISMS improvement process going. It must be later replaced by aformally defined risk assessment and risk treatment plan as mentioned in step 20 ofthe shown approach.
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 65
Example of CSA“Easy” steps to implement an ISMS: Step 4b
0
1
2
3
45.1
6.1 6.2
7.1
7.2
8.1
8.2
8.3
9.1
9.2
10.1
10.2
10.3
10.4
10.5
10.6
10.7
10.810.910.10 11.111.2
11.3
11.4
11.5
11.6
11.7
12.1
12.2
12.3
12.4
12.5
12.6
13.1
13.2
14.1
15.1 15.2
15.3
Current maturity level(green area)
Room for improvement
Maturity level aimed at (3)
Maximum maturity level (4)
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 66
Seve
rity
CSA Combined with Severity“Easy” steps to implement an ISMS: Step 4c
Comment: Shown ratings are for demonstration purposes only
I II
IIIIV
Urgent need for improvement !
Areas where controlsare necessary but effective
Possible savingsLow priority
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 67
Conformity Requirements“Easy” steps to implement an ISMS: Step 5
Check whether the exclusion of certaincontrols is acceptable (obtain managementapproval of residual risk).
Comment: For certification, the exclusion ofcertain controls is only acceptable if theseexclusions do no affect the organization’s abilityand/or responsibility to provide informationsecurity that meets the security requirementsdetermined by risk assessment and applicablelegal or regulatory requirements.
Source: ISO/IEC 27001 Chapter 1 Scope
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 68
Implementtraining/awareness
Define effectivenessmeasurement of controls
Manage operations &resources of the ISMS
Implement controls
Formulate & implementrisk treatment plan Establish the
ISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
SPLAN
CHECK
DO ACT
Implement and Operate ISMSBuilding an effective Information Security Management System
Riskmanagement
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 69
Implement Risk Treatment“Easy” steps to implement an ISMS: Step 6
Instead of the required detailed risktreatment plan start with the followingpragmatic approach:
For all controls identified in step 4c as “Urgentneed for improvement” (quadrant I) implementthe respective controls as shown in ISO/IEC17799 (i.e. as good/best practices)
Rate the effectiveness of these controls indirectlyby re-measuring the “maturity level”
Im
plem
ent a
ndop
erat
e th
e IS
MS
DO
© Peter R. Bitterli, Slide 70
Improve Security Awareness“Easy” steps to implement an ISMS: Step 7
Start marketing security primarily towards(senior) management
Show radar chart of step 4b
Show severity assessment of step 4c
Start asking about personal nightmares
Show management typical situations such asmentioned in introduction
Im
plem
ent a
ndop
erat
e th
e IS
MS
DO
© Peter R. Bitterli, Slide 71
Security Resources“Easy” steps to implement an ISMS: Step 8
Identify current resources for informationsecurity
Security officers, security engineers (list parttimers separately)
Collect same information from your peers
Start asking for more resources, argue with:Increasing legal/regulatory requirements
Recent incidents from own organization
Incidents in headlines
Comparisons with peers
Im
plem
ent a
ndop
erat
e th
e IS
MS
DO
© Peter R. Bitterli, Slide 72
Conduct internal ISMS audits andmanagement reviews
Update security plan
Review risk assessments
Measure effectiveness ofcontrols
Regularly revieweffectiveness of ISMS
Execute monitoringprocedures
Establish theISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
SPLAN
CHECK
DO ACT
Monitor and Review ISMSBuilding an effective Information Security Management System
Riskmanagement
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 73
Identify Security Incidents“Easy” steps to implement an ISMS: Step 9
Start collecting information on …attempted and successful breaches of security
any other security incidentscurrent threat situation (i.e. viruses, spam, …)
Start a “security round table” withrepresentatives from …
Operations
Help Desk / 2nd Level Support
Security
(IT) Risk Management
Monitor andreview the ISMS
CHECK
© Peter R. Bitterli, Slide 74
Security Reviews“Easy” steps to implement an ISMS: Step 10
Start with first reviews of the effectivenessof (selected parts) of the ISMS, e.g.
where incidents occurred
where audit reports showed deficiencies
where incidents could have a high severity(quadrant I in step 4c)
where your personal experience points topossible room for improvement (professionaljudgement)
…
Monitor andreview the ISMS
CHECK
© Peter R. Bitterli, Slide 75
Security Plans“Easy” steps to implement an ISMS: Step 11
Formulate concrete security plans (i.e.security programs) with necessaryimprovement activities based on:
Best practices controls (step 6)
Security incidents
Results of security reviews
Monitor andreview the ISMS
CHECK
© Peter R. Bitterli, Slide 76
Ensure improvementsachieve objectives
Communicate results
Take corrective andpreventive actions
Implement improvementsEstablish the
ISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
SPLAN
CHECK
DO ACT
Maintain and Improve ISMSBuilding an effective Information Security Management System
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 77
Implement Improvements“Easy” steps to implement an ISMS: Step 12
Implement with high emphasis identifiedimprovement measures as shown in securityprogram:
Keep track of progress
Maintain and
improve the ISM
S
ACT
© Peter R. Bitterli, Slide 78
Communication“Easy” steps to implement an ISMS: Step 13
Communicate progress to stakeholders
Maintain and
improve the ISM
S
ACT
© Peter R. Bitterli, Slide 79
PLAN
CHECK
DO ACT
Intermediate PhaseIn 30 steps twice around the PDCA circle to gain momentum
Establish theISMS (phase I)
Im
plem
ent a
ndop
erat
e th
e IS
MS
(pha
se I
)
Monitor andreview the ISMS
(phase I)
Maintain and
improve the ISM
S(phase I)
Establish theISMS (phase II)
Im
plem
ent a
ndop
erat
e th
e IS
MS
(pha
se I
I)
Monitor andreview the ISMS
(phase II)
Maintain and
improve the ISM
S(phase II)
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 80 Source: ISO/IEC 27001 Chapter 4.3 Documentation Requirements
Improve Documentation (I)“Easy” steps to implement an ISMS: Step 14a
For phase II you must improve the qualityof the ISMS documentation:
Records of management decisions
Actions are traceable to management decisions
Recorded results must be reproducible
Demonstrate relationship from selected controlsback to results from risk assessment and risktreatment process
© Peter R. Bitterli, Slide 81
Improve Documentation (II)“Easy” steps to implement an ISMS: Step 14b
ISMS documentation shall include:Documented statements of the ISMS policy andobjectivesScope of ISMS
Procedures and controls in support of the ISMS
Description of the risk assessment methodology
Risk assessment report
Risk treatment plan
Documented security management procedures
Statement of Applicability
Source: ISO/IEC 27001 Chapter 4.3 Documentation Requirements
© Peter R. Bitterli, Slide 82
Improve Documentation (III)“Easy” steps to implement an ISMS: Step 14c
Protect and control ISMS documentation:Approve documents for adequacy prior to use
Review, update and then re-approve documentsChanges and current revision status ofdocuments are identified
Ensure documents are available to those whoneed them
Ensure controlled distribution
Prevent use of obsolete documents
…
Source: ISO/IEC 27001 Chapter 4.3 Documentation Requirements
© Peter R. Bitterli, Slide 83
Control of Records“Easy” steps to implement an ISMS: Step 15
Establish records to provide evidence ofconformity to requirements and theeffective operations of the ISMS:
Need to be protected and controlled
Take into account relevant legal or regulatoryrequirements and contractual obligations
Must be retrievable
Controls for “record management” must bedocumented themselves
Source: ISO/IEC 27001 Chapter 4.3.3 Control of records
© Peter R. Bitterli, Slide 84 Source: ISO/IEC 27001 Chapter 5 Management responsibility
Management Commitment“Easy” steps to implement an ISMS: Step 16
Management shall provide evidence ofcommitment to the establishment, imple-mentation, operation, monitoring, review,maintenance and improvement of the ISMS
Establish policy, roles & responsibilities
Communicate the importance of security
Provide sufficient resources
Decide criteria for accepting risks
Ensure internal ISMS audits and managementreviews
© Peter R. Bitterli, Slide 85
Accept residual risks
Select controls(from 17799)
Decide on risk treatment
Carry out risk assessment
Define ISMS scope &policy Establish the
ISMS(phase II)
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
SPLAN
CHECK
ACTDO
Establish the ISMSBuilding an effective Information Security Management System
Riskmanagement
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 86
Broaden the Scope“Easy” steps to implement an ISMS: Step 17
Try to broaden the scope from …within IT
headquartersthose departments with high business risks
the highly regulated areas of your company
to the whole organization.
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 87
Streamline Policies“Easy” steps to implement an ISMS: Step 18a
Based on the defined overall ISMS policyreview and streamline all other directives,policies and guidelines that concerninformation in any form (electronicallystored, processed, printed, written,transmitted, spoken).
Clear up definitions
Remove contradictions and redundancies
Remove all parts not necessary
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 88
Streamline Policies“Easy” steps to implement an ISMS: Step 18b
Hint: Be aware that there is no standard terminology
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 89
Verify Areas of Applicability“Easy” steps to implement an ISMS: Step 19
Check whether the subset of the 133controls that were implemented in the firstphase needs to be enlarged based onchanges in scope or risks.Establish
the ISMS
PLAN
© Peter R. Bitterli, Slide 90
Formal Risk Assessment (I)“Easy” steps to implement an ISMS: Step 20a
Improve your current risk assessment andtreatment to a more mature process:
Formalize risk assessment methodology
Determine criteria for risk acceptance
Identify assets within scope of ISMS and theowners of the assets
Identify threats to those assetsIdentify vulnerabilities that might be exploited
Identify impact of those vulnerabilities
Source: ISO/IEC 27001 Chapter 4.2.1 Establish ISMS
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 91
Formal Risk Assessment (II)“Easy” steps to implement an ISMS: Step 20b
Improve your current risk assessment andtreatment to a mature process (cont.):
Analyze and evaluate the risks
Identify and evaluate options for the treatmentof risks
Select control objectives and controls fortreatment of risksObtain management approval of residual risks
Establishthe ISMS
PLAN
Source: ISO/IEC 27001 Chapter 4.2.1 Establish ISMS
© Peter R. Bitterli, Slide 92
7
10
6 14
9
20
2111
19 12
3
15
4
5
16
17 188
1
2
Severity
Pro
bab
ility
Edaily
Doften
Cprobable
Bimprobable
1low
2medium
3high
4very high
5critical
every day
every10 days
every100 days
every1000 days
every10,000 days
Ahighly improbable
13
Risk 16: Remote Access Vulnerabilitieswill be reduced by security program elements:A: Remote Access Server, Single Sign-OnB: AwarenessC: Regulations (Contract management, policies)
(Example for demonstration purposes only *)
16
16
Formal Risk Assessment (III)“Easy” steps to implement an ISMS: Step 20c
Establishthe ISMS
PLAN
© Peter R. Bitterli, Slide 93
Implementtraining/awareness
Define effectivenessmeasurement of controls
Manage operations &resources of the ISMS
Implement controls
Formulate & implementrisk treatment plan Establish the
ISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
(pha
se I
I)Monitor and
review the ISMS
Maintain and
improve the ISM
SPLAN
CHECK
DO ACT
Implement and Operate ISMSBuilding an effective Information Security Management System
Riskmanagement
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 94
Implement Risk Treatment“Easy” steps to implement an ISMS: Step 21
Determine detailed risk treatment plan:Identify options for risk treatment
Apply appropriate controlsKnowingly and objectively accept risks (provided theyclearly satisfy the organization’s policies and criteriafor accepting risks)Check whether additional controls (e.g. not listed inISO/IEC 17799) need to be implemented
Determine how progress will be assessed
Im
plem
ent a
ndop
erat
e th
e IS
MS
DO
© Peter R. Bitterli, Slide 95
Further Security Awareness“Easy” steps to implement an ISMS: Step 22
Start with a formal information securityawareness campaign that aims forcompetent staff
Analyze target audience
Decide an overall goals, contents, approaches
Develop security marketing campaign
In any case, implement:formal classroom based training (users, IT, …)a combination of other delivery channels
Develop and implement metrics
Rollout and monitor the campaign
Im
plem
ent a
ndop
erat
e th
e IS
MS
DO
© Peter R. Bitterli, Slide 96
Get more Security Resources“Easy” steps to implement an ISMS: Step 23a
Based on security program of phase II,estimate required resources for informationsecurity
Always ask for about 20% more resourcesthan needed, argue with:
Still increasing legal/regulatory requirements
Results of risk assessment performed
Many ongoing security programs
More incidents in headlines
List of intangible benefits (see next page)
Im
plem
ent a
ndop
erat
e th
e IS
MS
DO
© Peter R. Bitterli, Slide 97
Intangible Security Benefits“Easy” steps to implement an ISMS: Step 23b
Benefits affectingclients and partners:
Higher qualityProven availabilityBroader functionalityMore flexibility…
Benefits affectingorganization:
BrandSkills & knowledgeTrainingLeadership & CultureGrowth & opportunities…
Im
plem
ent a
ndop
erat
e th
e IS
MS
DO
© Peter R. Bitterli, Slide 98
Conduct internal ISMS audits andmanagement reviews
Update security plan
Review risk assessments
Measure effectiveness ofcontrols
Regularly revieweffectiveness of ISMS
Execute monitoringprocedures
Establish theISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
(phase II)
Maintain and
improve the ISM
SPLAN
CHECK
DO ACT
Monitor and Review ISMSBuilding an effective Information Security Management System
Riskmanagement
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 99
Improve Incident Management“Easy” steps to implement an ISMS: Step 24
Incident management is considered to be acritical success factor of an ISMS; i.e. needsto be highly effective
Processes for reporting events established
Correct behaviour needs to be known
Feedback should be provided
Disciplinary process necessary
Link to problem managementPrevention should be a high priority, too!
Monitor andreview the ISMS
CHECK
© Peter R. Bitterli, Slide 100
Security Compliance Reviews“Easy” steps to implement an ISMS: Step 25
Perform security compliance reviews of theeffectiveness of (selected parts) of the ISMS,e.g.
where you have invested $$ for improvements
where risk assessment shows lack of controls
where management attention is insufficient
where quick improvements are possible
…
If possible, look for objective securitymetrics
Monitor andreview the ISMS
CHECK
© Peter R. Bitterli, Slide 101
Management Reviews“Easy” steps to implement an ISMS: Step 26
Perform management review (once a year)of ISMS to ensure its continuing suitability,adequacy and effectiveness; include:
Results of ISMS audits and reviews
Status of preventive and corrective actions
Results from effectiveness measurement
Come to a decision and take action:Improvement of effectiveness
Update of risk assessment and treatment plan
Modification of controls that affect informationsecurity
Monitor andreview the ISMS
CHECK
© Peter R. Bitterli, Slide 102
Status Monitoring“Easy” steps to implement an ISMS: Step 27
Monitor andreview the ISMS
CHECK
© Peter R. Bitterli, Slide 103
Ensure improvementsachieve objectives
Communicate results
Take corrective andpreventive actions
Implement improvementsEstablish the
ISMS
Im
plem
ent a
ndop
erat
e th
e IS
MS
Monitor andreview the ISMS
Maintain and
improve the ISM
S(phase II)
PLAN
CHECK
DO ACT
Maintain and Improve ISMSBuilding an effective Information Security Management System
Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 104
Continuing Improvements“Easy” steps to implement an ISMS: Step 28
Identify nonconformities and their causes
Evaluate need for further actionsDetermine and implement corrective action
Record result of action taken
Aim for prevention, i.e. identify potentialnonconformities
Maintain and
improve the ISM
S
ACT
© Peter R. Bitterli, Slide 105
Accelerate Communication“Easy” steps to implement an ISMS: Step 29
Communicate actions and improvements toall interested parties with a level of detailappropriate to the circumstances
Ask for agreement on how to proceedImplement quarterly top managementsecurity status report (“dashboard)
Maintain and
improve the ISM
S
ACT
© Peter R. Bitterli, Slide 106
Aim for Certification“Easy” steps to implement an ISMS: Step 30
If not yet done: Formally decide oncertification
Perform gap analysis for certification(ISO/IEC 27001 & ISO/IEC 17799)Implement “certification rollout program”
Maintain and
improve the ISM
S
ACT
© Peter R. Bitterli, Slide 107
BenefitsPart 7
Discussion of some of themajor benefits of improvingyour ISMS to a matureISMS
© Peter R. Bitterli, Slide 108
Support of OECD PrinciplesBuilding an effective Information Security Management System
Awareness of need for information security
Responsibility for information securityPrevent, detect and respond to incidents
Ethics respecting interests of othersInformation security compatible withessential values of a democratic society
Risk management providing levels ofassurance towards acceptable risksSecurity incorporated in systems
Continuous improvement Source: Peter Weiss, Zurich
© Peter R. Bitterli, Slide 109
Other BenefitsEvery company has an ISMS – but most have an ineffective one
An improved ISMS …lowers probability of major security incidents
decreases severity of low probability scenariosremoves contradictions, bottlenecks and blindspots
improves security awareness
lets you invest your $$$ more effective
demonstrates proper stewardship
gets the auditors off your back
lets you sleep well
…
© Peter R. Bitterli, Slide 110
© Peter R. Bitterli, Slide 111
Pitfalls to avoidPart 9
Some pitfalls to avoidduring such animprovement process
© Peter R. Bitterli, Slide 112
Pitfalls to avoid (I)Building an effective Information Security Management System
Give the ISMS improvement project to aperson that
has no security experience
is a security engineer (a techie)
has been to long in your company
is not a good communicator
is too junior or too old
>>> and you will fail!
© Peter R. Bitterli, Slide 113
Pitfalls to avoid (II)Building an effective Information Security Management System
No backing from executive management
Unclear authorities & accountabilitiesNot enough funding for 2–3 years
Not enough human resourcesToo short time span for results
“Play hockey instead of curling”Underestimate corporate culture
Believe that operational risk managementwill solve your security issues
© Peter R. Bitterli, Slide 114
For More Information:
Peter R. Bitterli, CISA
Bitterli Consulting AG & ITACS Training AG
prb(at)bitterli-consulting.ch
“I will work in
concert with
my peers.”
Thank you!