Basic Introduction to ISO27001:

Scope, Implementation & Application

Created By Imran Ahmed (ImranahmedIT)

www.imran-ahmed.co.uk

Introduction

ISO 27001 is the international standard describing best practice for an Information Security Management System (ISMS).

An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

Being ISO 27001 approved is a certification which shows that the business has defined and implemented effective Information security processes.

Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

Benefits of ISO27001 – Table (1)

Information Security Issue How ISO 27001 helps Benefits

1

With increasing fines for personal data breaches, organizations need to ensure compliance with legislative requirements, such as the UK Data Protection Act

It provides a framework for the management of information security risks, which ensures you take into account your legal and regulatory requirements

• Supports compliance with relevant laws and regulations• Reduces likelihood of facing prosecution and fines• Can help you gain status as a preferred supplier

2 Potential information breach, damaging your reputation

It requires you to identify risks to your information and put in place security measures to manage or reduce them

• Protects your reputation• Provides reassurance to clients that their information is secure• Cost savings through reduction in incidents

3 Availability of vital information at all times

It ensures that authorised users have secure access to information when they need it

• Demonstrates credibility and trust• Improves your ability to recover your operations and continue business as usual

Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

Benefits of ISO27001 – Table (2)

Information Security Issue How ISO 27001 helps Benefits

4Lack of confidence in your organizations ability to manage information security risks

Gives you a framework for identifying risks to information security and implementing appropriate management and technical controls

• Confidence in your information security arrangements• Better visibility of risks amongst interested stakeholders

5Difficulty in responding to rising customer expectations in relation to the security of their information

It provides a way of ensuring that a common set of policies, procedures and controls are in place to manage risks to information security

• Meet customer and tender requirements• Reduce third party scrutiny of your information security requirements• Get a competitive advantage

6 No awareness of information security within your organization

It ensures senior management recognize information security as a priority and that there is clear level of knowledge from the top level all the way down

• Improved information security awareness• Shows commitment to information security at all levels throughout your organization • Reduces staff-related security breaches

Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

ISO 27001

ISO 27001 uses a top down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

Define a security policy. Define the scope of the ISMS. Conduct a risk assessment. Manage identified risks. Select control objectives and controls to be implemented. Prepare a statement of applicability. Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

ISO 27002This standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

ISO 27002 contains 12 main sections:

1. Risk assessment

2. Security policy

3. Organization of information security

4. Asset management

5. Human resources security

6. Physical and environmental security

7. Communications and operations management

8. Access control

9. Information systems acquisition, development and maintenance

10. Information security incident management

11. Business continuity management

12. ComplianceCreated by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

ISO 27000 FamilyOther standards that have also been developed in the 27000 family are:

27003 – implementation guidance.

27004 - an information security management measurement standard suggesting metrics to

help improve the effectiveness of an ISMS.

27005 – an information security risk management standard. (Published in 2008)

27006 - a guide to the certification or registration process for accredited ISMS certification

or registration bodies. (Published in 2007)

27007 – ISMS auditing guideline. Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk

Thanks for reading!

Other standards that have also been developed in the 27000 family are:

If you like to contact me, feel free to head over to my website: www.imran-ahmed.co.uk

You can also see my other SlideShare presentations

Alternatively, visit my Blog page

Created by Imran Ahmed (ImranahmedIT) www.imran-ahmed.co.uk