Information Security Management – Management System Requirements, Code of Practice for Controls, and Risk Management supervis ion Assistant Professor Assistant Professor Dr. Sana’a Wafa Al- Dr. Sana’a Wafa Al- Sayegh Sayegh ITGD 2202 Tamer abo lehia Security Management
10
Embed
Information Security Management – Management System Requirements, Code of Practice for Controls, and Risk Management supervision Assistant Professor Dr.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Information Security Management – Management System Requirements, Code of Practice for Controls, and Risk Management
supervisionAssistant Professor Assistant Professor Dr. Sana’a Wafa Al-Dr. Sana’a Wafa Al-SayeghSayegh
ITGD 2202 Tamer abo lehia
Security Management
Background of ISMS StandardsInformation Security Management System (ISMS) standards have been produced to help organisations come up with cost effective answers to questions like:
– Why do the same type of information security problem come up again and again?
– Why does the IT department keep asking for more and more money to solve information security problems (that don’t go away)?
– How can we do information security well when IT is core to our business, but not our core business?
Origins in UK business in the 1990’s, pooling knowledge of best practice– Initial focus on controls (now published as ISO/IEC 17799:2005)– Enhanced with a management decision making framework (now
published as ISO/IEC 27001:2005)
Recently internationalised and updated by ISO/IEC
STANDARDS AUSTRALIA SECURITY FORUM
Nationally:– Large corporates (e.g. ANZ, Shell, Bluescope, Telstra) – Information and IT security specialists (e.g. Witham Labs, Pacific
Research, Fujitsu, Megaprime)
Internationally:– Representatives from large corporates in the IT and other
sectors, information security specialists from specialist business and government organizations
• Australia, Austria, Belgium, Brazil, Canada, China, Czech Republic, Denmark, Finland, France, Germany, India, Italy, Japan, Kenya, Luxembourg, Malaysia, New Zealand, Netherlands, Norway, Poland, Russia, Singapore, Spain, South Africa, South Korea,Sri Lanka, Sweden, Switzerland, UK, Ukraine, USA
Organisations involved in the development of the ISMS Standards
STANDARDS AUSTRALIA SECURITY FORUM
These standards are relevant to any organisation reliant on information and IT
– Large corporates– SMEs– Government agencies
Focus is on organizations that can’t justify a staff of information security specialists
– Value is provided by making pooled, peer reviewed, best practices for the management and implementation of an information security programme available to all at a modest cost
The target audience and the value the ISMS Standards bring to the market
STANDARDS AUSTRALIA SECURITY FORUM
The ISMS standards specify a framework for organisations to manage information security aspects of their business, and if necessary to demonstrate to other parties (e.g. business partners, auditors, customers, suppliers) their ability to manage information security.
Objectives of the Standards
STANDARDS AUSTRALIA SECURITY FORUM
ISO/IEC 27001: ‘Information Security Management Systems - Requirements’ is the foundational standard; it is applicable to all types of organisation and all sectors of the economy.
It specifies a risk-based management system that is designed to ensure that organisations select and operate adequate and proportionate (i.e. cost effective) security controls to protect information assets.
– It uses the ‘plan-do-check-act (improve)’ model used in environment and quality management standards.
– It is specified to allow implementation integrated within broader management systems.
• The standard shows how requirements relate to the OECD Guidelines for the Security of Information Systems and Networks.