How  Does  the  new  ISO  27001  Impact  Your  IT  Risk  Management  Processes?  

Presented  by  Lars  Neupart    Founder,  CEO  of  Neupart  –  The  ERP  of  Security  LN@neupart.com  twiBer  @neupart    

The  ISO  2700x  standards  ISO  27000  • Overview  and  vocabulary  

ISO27001  • InformaKon  Security  Management  Systems  –  Requirements  

ISO27002  • Code  of  pracKce  for  informaKon  security  management  

ISO  27003    • ISMS  ImplementaKon  Guidelines  

ISO  27004  • InformaKon  Security  Management  -­‐  Measurement.    

ISO27005  • InformaKon  Security  Risk  Management  

ISO27006  • Requirements  for  bodies  providing  audit  and  cerKficaKon     +  +  +  +    

New  drafts  available  ISO  27000  • Overview  and  vocabulary  

ISO27001  • InformaKon  Security  Management  Systems  –  Requirements  

ISO27002  • Code  of  pracKce  for  informaKon  security  management  

ISO  27003    • ISMS  ImplementaKon  Guidelines  

ISO  27004  • InformaKon  Security  Management  -­‐  Measurement    

ISO27005  • InformaKon  Security  Risk  Management  

ISO27006  • Requirements  for  bodies  providing  audit  and  cerKficaKon     +  +  +  +    

Information  Security  Management  Systems  –  

Requirements  ISO  27001  –  the  2013  edition  ISO/IEC  DIS  27001  =  draft.    

I.e.  changes  are  likely  to  happen    

Aim  of  todays  webinar  is  to  give  you  a  head  start  preparing  for  the  new  standard  so  you  can  have  a  smoother  transition.  

What’s  new?  •  A  lot!  •  New  content  •  New  requirements  

numbering  •  Still  short:  9  pages  of  

requirements  to  an  ISMS  •  Controls  are  still  listed  in  

Annex  A,  and  referring  to  ISO  27002  (the  new)  

•  Maintaining  a  fair  portion  of  backwards  compatibility  

Poll:  How  do  you  use  ISO  27001  today?  

•  We  are  certified  •  We  plan  to  certify  •  We  plan  to  comply;  no  

certification  •  Best  practice  

inspiration  •  Don't  know  

Still  risk  oriented:  

•  The  first  requirement  in  the  new  ISO  27001  refers  to  an  Enterprise  Risk  Management  Standard:  ISO  31000  

ISO  31000  Enterprise  Risk  Management  

Plan  

Do  

Check  

Act  

Enterprise  Risk  Management  (ISO  

31000)  

InformaKon  Security  Risk  

Management  (ISO  27005)  

ISMS  Requirements  (ISO  27001)    

ISO  27005  recap  

IT  Risk  Management  -­‐  Explained  

Risk

Incident Likelihood

Incident Consequence

Threat Frequency

Threat Effect

Threats

Preventive Measures

Corrective Measures

Reduce Likelihood Proactive

Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus

Reactive Security

Reduce Consequence

IT Service Continuity Teams IT Service Continuity Strategy

IT Service Continuity Plans Disaster Recovery Procedures

Emergency Operations Flexibility

Standby Equipment Virtualization

Backup

IT  Risk  Management  -­‐  Explained  

Risk

Prioritization

Incident Likelihood

Incident Consequence

Threat Frequency

Threat Effect

Threats

Preventive Measures

Corrective Measures

Vulnerability  &  control  environment  assessment  

AdministraKve  Measures  

Physical  /  Technical  Measures  

PrevenKve  Measures  

CorrecKve  Measures  

Firewall   AnKvirus  

Server  Cluster  

RAID   Backup  

Standby  Equipment  

VirtualizaKon  

Security  Policy  

System  DocumentaKon  

Awareness  

Compliance  Checks  

Alarm  System  

Fire  Suppression  

Logging  Change  

Management  

IT  Service  ConKnuity  Plan  

Disaster  Recovery  Procedures  

Business  ConKnuity  Strategy  

Redundancy  

Access  Control  System  

Standby  Site  

Server  snapshots  

Assessments  based  on  Capability  Maturity  

Model  

Monitoring  

Assets:  Dependency  Hierarchy  Business  Impact  values  are  inherited  downwards  

Vulnerability  values  are  inherited  upwards  

Server  01  Virtual  Server  

SAN  01  Data  Staorage  

HP  DL380  Hardware    unit  

Data  Center  Oslo  Datacenter  

Finance  DB  Database  

ERP  IT  Service  

Dynamics  AOS  Business  system  

HP  DL380  Hardware  unit  

Server  02  Virtual  Server  

Finance  

Business  Process  

Comparing  ISO  27005,  NIST  SP800-­‐30  ISO  27005   NIST  SP800-­‐30  

Context  establishment              

Identification  of  assets   System  Characterization  Identification  of  threats   Threat  Identification  

Identification  of  existing  controls   Vulnerability  Identification  Identification  of  vulnerabilities   Control  Analysis  Identification  of  consequences      

       Assessment  of  consequences   Likelihood  Determination  

Assessment  of  incident  likelihood   Impact  Analysis  Risk  estimation   Risk  Determination  

       Risk  evaluation      

       Risk  treatment   Control  Recommendations  Risk  acceptance      

Risk  communication   Results  Documentation  

Examples  of  how  the  27001  update  will  impact  your  risk  management  

processes  

27001:  Not  only  downside  risks  •  6.1  Actions  to  address  risks  

and  opportunities    

•  Quote  ISO  31000:  “Organizations  of  all  types  and  sizes  face  internal  and  external  factors  and  influences  that  make  it  uncertain  whether  and  when  they  will  achieve  their  objectives.  The  effect  this  uncertainty  has  on  an  organization's  objectives  is  “risk”.  

Risk  Owner  •  Risk  Owner  approves  risk  treatment  plan  and  accepts  residual  risks  •  Note:  Asset  ownership  is  formally  no  longer  a  ISO  27001  requirement,  but  it’s  still  in  the  annex  A  Control  

List.  Practically  same  requirement,  as  you  can’t  expect  it  to  not  be  in  your  Statement  of  Applicability  

Increased  flexibility  in  your  choice    of  risk  method  

The  organization  shall  define  an  information  security  risk  assessment  process  that:    1.  establishes  and  maintains  information  security  

risk  criteria,  including  the  risk  acceptance  criteria;    

2.  determines  the  criteria  for  performing  information  security  risk  assessments;  and    

3.  ensures  that  repeated  information  security  risk  assessments  produce  consistent,  valid  and  comparable  results.    

(section  6.1  )    

Time  to  vote  

•  What  IT  risk  assessment  method  or  framework  do  you  use  today?  –  ISO  27005  –  NIST  SP  800  series  –  IRAM    –  OCTAVE  –  Some  other  threat  based  

approach  –  Some  other  control  based  

approach  –  Don’t  know  

The  organization  shall  apply  an  information  security  risk  treatment  

process    

Treating  Risks  

Accept   Reduce  

Share   Avoid  Treatment  opKons  according  to  ISO  27001:2005  and  ISO  27005.  ISO  27001:2013,  do  not  require  these  specific  treatment  opKons;  but  you  are  free  to    choose  these.  

SoA  linked  even  closer  to  Risk  Treatment  

Risk  treatment  

SoA  =  Statement  of  Applicability  

•  Select  treatment  options  •  Determine  controls  •  Check  controls  with  Annex  A,    

verify  no  necessary  controls  are  omitted  

•  Make  SoA  and  justify  exclusions  AND  inclusions  (new)  

•  Clearly  worded  that  you  must  determine  all  necessary  controls  

Review  of  Neuparts  well  known  4  responsible  short-­‐cuts  –  do  they  still  apply?  

Assess  your  most  important  assets  first    (you  can  add  more  

later)  

1:  Not  all  assets  

Do  not  use  complete  threat  catalogue  on  each  of  your  assets  (relevant  threats  

depends  on  asset  type)  

2:  Not  all  threats  

• Inheritance:  Business  impact  values  inherits  downwards  

• Vulnerability  scores  inherits  upwards  

• Asset  dependencies  /  Hierarchy  

3:  Inheritance  

• Make  overall  assessment  first  –  refine  later  

• Example:  Assess  threats  combined  first  –  individually  later  

4:  Fewer  assessments  

Oh,  what  happened  to  PDCA?  Plan  -­‐  Do  –  Check  -­‐  Act  is  still  there,  now  called  continual  improvement  

Risk  Management  

•  Risk  Owner  •  (Assets)  •  Threats  •  Business  Impact  

Assessment  •  Vulnerability  Assessment  •  Reporting  &  evaluating  •  Treating  (Accept,  Reduce,  Share,  

Avoid)  

Time  to  vote  

•  Will  the  new  ISO  improve  your  risk  management  processes?  –  Yes  –  the  update  is  easy  to  

understand  and  makes  sense  

–  Not  much  –  nothing  really  new  here  

–  I’m  concerned  of  the  introduced  flexibility  

–  Don’t  know  

About  Neupart  •  ISO  27001  certified  company  

•  Provides  SecureAware®,    an  all-­‐in-­‐one,  efficient  IT  GRC  solution  allowing  organizations  to  automate  IT  governance,  risk  and  compliance  management    

•  “The  ERP  of  Security”  

•  HQ  in  Denmark,  subsidiary  in  Germany  and  a  200+  customer  portfolio  covering  a  wide  range  of  private  enterprises  and  governmental  agencies    

IT  GRC  =  IT  Governance,    

Risk  &  Compliance  Management  

SecureAware  Risk  TNG  Benefits  •  Less  specialist  knowledge  

needed  to  conduct  professional  risk  management  

•  Know  your  IT  related  business  risks  

•  Fast  results  •  Saves  time  for  you  and  your  

organization  •  ISO  27005  based  methodology  –

and  fully  compatible  with  NIST  SP800-­‐30    

•  Cloud  or  on-­‐premise  software  

Try  ISO  27001  compliant  IT  GRC  soluKon  at  www.neupart.com  

Presented  by  Lars  Neupart    Founder,  CEO  of  Neupart  –  The  ERP  of  Security  LN@neupart.com  twiBer  @neupart