Stand Out – ISO 27001 | 1

STAND OUT

Why You Should Become ISO 27001 Certified

Stand Out – ISO 27001 | 2

• Introduction • ISO 27001 – What it is • ISO 27001 – What it is not • Internal Importance • External Importance • Sector-Specific Application • The Process

Contents

Stand Out – ISO 27001 | 3

ISO 27001 What it is

Stand Out – ISO 27001 | 4

• ISO/IEC 27001:2013 – Information Technology – Security Techniques – Information Security Management Systems – Requirements

• Management system that can be certified by an accredited registrar / certification body

• Information Security Management System (ISMS) and supporting controls

What is ISO 27001

Stand Out – ISO 27001 | 5

• Management System – Collection of policies, procedures, people, processes and

controls to address information security with the scope

• Not greenfield but not inherent • Focused on the identification, treatment, and monitoring

of information security risk

The ISMS

Stand Out – ISO 27001 | 6

• Requirements within Clauses 4-10 • Scope • Leadership • Planning • Support • Operation • Performance Evaluation • Improvement

ISMS Components

Stand Out – ISO 27001 | 7

• 114 total controls across 14 control domains • General information technology controls (access

management, change management, network security, operations management)

• Additional considerations for human resources security, supplier relationships, disaster recovery, compliance

• Applicable based on direct or indirect information security risk

ISO 27001 Annex A – The Control Set

Stand Out – ISO 27001 | 8

• Valid for a three year term • Active management system • Evidenced with Certificate • No centralized repository • Continued integration and improvement

ISO 27001 Certification

Stand Out – ISO 27001 | 9

ISO 27001 What it is not

Stand Out – ISO 27001 | 10

• Not a controls-focused audit • Not point in time or backward looking • Not absolute assurance • Not a simple effort • Not an individual project • Not an end but a beginning

What ISO 27001 Isn’t

Stand Out – ISO 27001 | 11

Internal Importance

Stand Out – ISO 27001 | 12

• Reduce information security risk within the organization – From door locks to encryption

• Information security risk transparency – Removes the unknown – Allows for risk dashboard

• Commitment and participation from top to bottom – Management commitment – Security awareness

Why ISO 27001?

Stand Out – ISO 27001 | 13

• Fundamental foundation for related compliance efforts – Most elements of common compliance efforts – Compliance efforts included in planning and control set

• Focus (and requirement) on continued improvement – Initial year prove conformance – Subsequent years improvement and optimization

Why ISO 27001?

Stand Out – ISO 27001 | 14

External Importance

Stand Out – ISO 27001 | 15

• By the numbers – From 429 in 2011 to 835 in 2014 (most recent numbers) – US in top five countries in growth in 2014 – Still only 3.5% of total certificates globally (@24,000)

• Global market is growing – Anticipating and meeting customer demands

Customer Assurance

Stand Out – ISO 27001 | 16

• Demonstration of “only a certificate” – Actively monitoring information security risk – Information security risk management in the fabric of the

organization – Right policies, procedures, processes and people to address

security concerns

• Communication of trust

Customer Assurance

Stand Out – ISO 27001 | 17

Sector-Specific Application

Stand Out – ISO 27001 | 18

• Service providers remain focus • Increase in specific groups

– Cloud providers – eDiscovery – Law firms

• Common theme of data and privacy

27001 By Sector

Stand Out – ISO 27001 | 19

• ISO 27017 – cloud service providers • ISO 27018 – PII in public clouds • ISO 27799 – healthcare • CSA STAR Certification

27001 Extensions

Stand Out – ISO 27001 | 20

The Process

Stand Out – ISO 27001 | 21

• Purchase the ISO 27001 standard • Perform internal gap assessment • Set reasonable planning expectations • Obtain management commitment • Secure proper resources to design and implement the

ISMS

Where to Begin

Stand Out – ISO 27001 | 22

ISMS Scoping and Planning • Consider end result when scoping

– Customer expectations – Focus on where the information security risk is

• Understanding the requirements – i.e. security awareness, communication plan, documentation

management, independent internal audit

• Apply the risk assessment to the scope • Be sure the controls don’t steal the stage

Stand Out – ISO 27001 | 23

• Two stage audit approach – Stage 1 – ISMS design – Stage 2 – ISMS operating effectiveness

• Nonconformities are common – Major – Minor

• Certificate issued once recommended post Stage 2

External Assessment

Stand Out – ISO 27001 | 24

• An active ISMS requires active participation • Required continued conformance and operating

effectiveness • Three year term for the certificate

– External surveillance during the lifecycle

• Recertification post three-year term

ISMS Maintenance

Stand Out – ISO 27001 | 25

LEARN MORE ABOUT ISO 27001 click here