Introduction to 17799 - ISACA Melbourne...– Code of Practice is published as a British Standard...
Transcript of Introduction to 17799 - ISACA Melbourne...– Code of Practice is published as a British Standard...
Introduction to ISO/IEC 27001:2005
Prepared by
Endre P. Bihari JP
of
Performance Resources
For ISACA Melbourne Chapter
Technical Session
18th of July 2006 AD
2/20
©20
06 P
erfor
manc
e Res
ource
s
What is ISO/IEC 17799?• Aim:
– Creating a common basis for organisational security standards development
– Enhance security management practice– Provide best practice guidance based on practical industry
experience– Provide a structured framework for an organisation to examine &
improve security
• Consists of Two Parts– Part 1 – Code of Practice for Information Security Management– Part 2 – Specification for Information Security Management Systems
3/20
©20
06 P
erfor
manc
e Res
ource
s
History of ISO/IEC 17799:2005• Early 1990s
– Department of Trade and Industry (UK) produced an “Information security management code of practice” by a working group comprising experienced information security managers
• 1995– Code of Practice is published as a British Standard (BS 7799)
• 1999– Revised and updated (BS 7799-1:1999)– BS7799-2 is published
• Late 1990s– BS7799 is translated to different languages– Adopted by several countries
• 2000– ISO/IEC 17799-1:2000 is published
• 2003– ISO/IEC 17799-2:2003 is published
• 2005– Revised and updated (ISO/IEC 17799-1:2005)
• 2006– BS 7799-3 is published
4/20
©20
06 P
erfor
manc
e Res
ource
s
The ISO/IEC 27000 Standard FamilyISO/IEC 27000
Information security management system
– fundamentals and vocabularyISO/IEC 27001:2005
Information securitymanagement
— requirementsAS/NZS 7799-2:2003
ISO/IEC 27002:2007?Code of practice for information security
managementISO/IEC 17799:2005
ISO/IEC 27003:2008?Implementation guide?
ISO/IEC 27004:2006?Information security
management metrics and measurement
ISO/IEC 27005Information security
risk management BS 7799-3:2006
ISO/IEC 27006:2007?Guidelines for
information and communications technology
disaster recovery servicesSS507
ISO/IEC 27007-27010Allocation for
future use
5/20
©20
06 P
erfor
manc
e Res
ource
s
Structure and Relationship to Other StandardsISO 9001:2000, ISO 14001:2004, ISO/IEC 27000
Alignment with other quality standards’ structure0. Introduction1. Scope2. Normative References3. Terms and Definitions4. Management System5. Management Responsibility6. Audit7. Management Review8. Improvement9. Annexes
6/20
©20
06 P
erfor
manc
e Res
ource
s
ISO/IEC 27001:2005 StructureThe PDCA (Based on Deming’s) Model (for every ISMS Process)
• PLAN (establish the ISMS) Section 4• DO (implement and operate the ISMS) Section 5• CHECK (monitor and review the ISMS) Section 6 & 7• ACT (maintain and improve the ISMS) Section 8
Control Objectives and Controls (from 17799:2005) Annex AOECD Principles Annex B
• Awareness• Responsibility• Response• Risk Assessment• Security Design and Implementation• Security Management• Reassessment
7/20
©20
06 P
erfor
manc
e Res
ource
s
Benefits of ISO/IEC 27001:2005• Improvement in
– Understanding of the value of organisational information– Confidence, confidence, satisfaction and TRUST
• Customer, business partner– e.g. Handling their sensitive information
– Assurance level of organisational security & QUALITY– Legal and regulatory compliance– Organisational effectiveness of communicating security
requirements– Employee motivation and participation in security– Management and handling of security incidents– Ability to differentiate organisation for competitive
advantage– Credibility & reputation profitability
8/20
©20
06 P
erfor
manc
e Res
ource
s
Why are there changes to ISO/IEC 17799:2003 ?
Emerging trends new threats
Governance increased call for senior management commitment
Assurance global call for more detailed assurance measures
Compliance legal & regulatory pressures
Managing risks whole risk management approach is now clearly understood and requires evidencing increased emphasis on continuous review
9/20
©20
06 P
erfor
manc
e Res
ource
s
Improved Clarity
NEW Control TextOLD Control Text
CONTROL
+
Someimplementation
guidance &other
supportinginformation
CONTROLCONTROL
IMPLEMENTATION IMPLEMENTATION GUIDANCEGUIDANCE
OTHER OTHER INFORMATIONINFORMATION
Specific control statementthat satisfies the control objective
Specific control statementthat satisfies the control objective
List of more detailed implementation controlsand related guidance
that satisfies the control objectiveother implementation methods might exist and may be more appropriate
List of more detailed implementation controlsand related guidance
that satisfies the control objectiveother implementation methods might exist and may be more appropriate
Further explanation and information that might need to be considered at implementationother, related standards
Further explanation and information that might need to be considered at implementationother, related standards
10/20
©20
06 P
erfor
manc
e Res
ource
s
AS
3806
1548
9-2
1548
9-1
1802
8-5
1802
8-4
1802
8-3
1794
415
945
1540
8
1356
9
2000
0-2
1333
5-4
1333
5-1
1333
5-1
1581
6
2000
0-1
1333
5-3
1802
8-2
1581
6
2500
0
1804
4
SS 50
7
1804
3
HB 22
1
1804
5
ISO Standards Related to ISO/IEC 17799:2005Se
curit
y Pol
icy
Secu
rity
Orga
nisa
tion
Asse
t Ma
nage
men
t
Hum
an
Reso
urce
s Se
curit
y
Phys
ical a
nd
Envir
onm
enta
l Se
curit
y
Com
mun
icatio
ns
and
Oper
atio
ns
Mana
gem
ent
Acce
ss C
ontro
l
Info
rmat
ion
Syst
ems
Acqu
isitio
n,
Deve
lopm
ent a
nd
Main
tena
nce
Info
rmat
ion
Secu
rity I
ncid
ent
Mana
gem
ent
Busin
ess
Cont
inui
ty
Mana
gem
ent
Com
plian
ce15
443-
3
1802
8-1
1451
6
1544
3-2
1544
3-1
1594
5
1594
7
NFPA
16
00
1333
5-2
ISO/IEC 17799:2005
11/20
©20
06 P
erfor
manc
e Res
ource
s
Demystifying ISO/IEC 17799:2005
• 11 Clauses (or domains)
• 39 Control objectives– functional requirement specification for ISM architecture
• 134 Specific controls– Not mandated – but Statement of Applicability!– To be treated as a generic control menu to select from– The “Auditor’s Standard”
• Hundreds of best practice control measures– Offering implementation guidance
• Not complete – what is missing?
12/20
©20
06 P
erfor
manc
e Res
ource
s
Steps Towards Certification
Development Implementation Stage 1 Audit Stage 2 AuditSurveillance& Re-assessment:Follow Up
ISMS WG 3rd Party Auditor(s)
13/20
©20
06 P
erfor
manc
e Res
ource
s
Strategic(More
generic)
Tactical(More
specific)
Recommended Policy / Standards Hierarchy Laws, Regulations& Requirements
Laws, Regulations& Requirements
WHAT IS REQUIREDLaws and LegislationsISO/IEC StandardsBusiness Objectives
WHAT IS REQUIREDLaws and LegislationsISO/IEC StandardsBusiness Objectives
CORE DIRECTIONStatements of commitment
CORE DIRECTIONStatements of commitment
STATEMENT OF INTENTSpecifies what to do and why
STATEMENT OF INTENTSpecifies what to do and why
CONTROL SPECIFICATIONStatement and description of how resources are to be used
CONTROL SPECIFICATIONStatement and description of how resources are to be used
KNOW HOWA written description of a course of action to be taken to perform a given task. [IEEE610]
KNOW HOWA written description of a course of action to be taken to perform a given task. [IEEE610]
SHOW HOWDescribes application and usage of controls
SHOW HOWDescribes application and usage of controls
KNOW WHATProvides the minimum level of requirements
KNOW WHATProvides the minimum level of requirements
Source: Performance Resources, used by permission
PolicyPolicy
StandardsStandards
Procedures,Processes
Procedures,Processes BaselinesBaselines Guidelines,
PracticesGuidelines,Practices
PrinciplesPrinciples
14/20
©20
06 P
erfor
manc
e Res
ource
s
Recommended Policy Framework (Extended)
Source: Performance Resources, used by permission
15/20
©20
06 P
erfor
manc
e Res
ource
s
Sample Documents 1
Policy Statements
16/20
©20
06 P
erfor
manc
e Res
ource
s
Sample Documents 2
Domain Standard
17/20
©20
06 P
erfor
manc
e Res
ource
s
Sample Documents 3
Purpose Specific Standards
18/20
©20
06 P
erfor
manc
e Res
ource
s
What Constitutes a Good Policy?
• Content over form– Just because a document is called “policy” it does
not mean it is a policy indeed• Alignment with business needs• Clarity• Comprehensiveness • Simple and practical
– Easy to maintain– Accessible
• Supportive environment– Enforceable and enforced
19/20
©20
06 P
erfor
manc
e Res
ource
s
Development Consideration• Skills
– Knowledge of RFCs, ISO and other standards– Clear and precise communication– Intimate knowledge of information security (both
technical and managerial)• Time – Cost – Quality
– 10-13 days (policy)– 5-7 days (standards)– $800 - $1,600 per day
– Licensing – immediate, for less than half of this cost!• (available through Performance Resources)
20/20
©20
06 P
erfor
manc
e Res
ource
s
Further InformationFurther information is available athttp://www.perfres.net/methodology.asp
Or contact me
Endre BihariMobile: 0414 35 15 58Email: [email protected]