ISMS Implementation and Certification CHALLENGESdnsl.ce.sharif.edu/abs/ISMS_challenges.pdf5/49 H.Teimoori ISMS Implementation & Certification Challenges Information 5 Information is

چالش هاي

پياده سازي و اخذ گواهينامه ي

نظام مدیریت امنيت اطالعات

ISMS Implementation and Certification CHALLENGES

ISMS Implementation & Certification Challenges H.Teimoori 2/49

Presenter

• ISMS Lead Auditor

• ISMS Lead Tutor (IRCA Approved)

• +200 Audits

• Hossein Teimoori


Content

• ISMS Definitions

• ISMS Standards

• ISMS History

• ISO 27001 Structure

• ISMS Implementation process

• Certification

• Implementation Process

• Certification cycle

• ISMS Implementation & Certification Challenges + Tips

تعاريف

Definitions


5 Information

Information is an asset that, like other important business assets, is essential to an organization ‘s business and consequently needs to be suitably protected.

کار و کسب برای سازمان مهم های دارایی سایر مانند که است سازمانی دارایی یک .شود محافظت مناسبی نحو به بایستی می منتيجه در و بوده ضروری آن (ماموریت)


Information Formats

• Printed or written on paper روی کاغذ

• Stored electronically ذخیره شده بصورت الکترونیکی

• Transmitted by post or electronic means قابل انتقال بوسیله ی پست یا

ابزارهای الکترونیکی

• Shown on corporate videos قابل پخش بصورت فیلم های ویدئویی

• Verbal - spoken in conversations قابل صحبت شدن

• ‘… Whatever form the information takes, or means by which it is

shared or stored, it should always be appropriately protected.’

Source: ISO 27002:2007


7 Information Lifecycle

ایجاد

Creation

استفاده

Use

امحا

Destruction


8 Info. Assets Types

1. Information: databases and data files, contracts and agreements, system documentation,

research information, user manuals, training material, operational or support procedures,

business continuity plans, fallback arrangements, audit trails, and archived information;

بانک های اطالعاتی ، قراردادها و توافقنامه ها ، مستندات سيستمی ، اطالعات : اطالعاتی داراییهای

پژوهش ها ، راهنماهای استفاده ، مواد آموزشی ، روشهای اجرایی ، طرح های تداوم حيات سازمانی

، اطالعات آرشيو شده

1. Software assets: application software, system software, development tools, and utilities;

. . .نرم افزارهای سيستمی ، کاربردی ، : نرم افزاری داراییهای

2. Physical assets: computer equipment, communications equipment, removable media and

other equipment;

تجهيزات کامپيوتری و ارتباطی ، وسایل ارتباطی و سایر تجهيزات: فیزیکی داراییهای

1. Source(ISO 27002 page 19)


9 Info. Assets Types

4) Services: computing and communications services, general utilities, e.g. heating, lighting

power, and air-conditioning;

سرویس های ارتباطی و محاسباتی ، تجهيزات عمومی مانند سيستم : خدماتی داراییهای

. . . گرمایش ، نور ، تهویه هوا

5) People, and their qualifications, skills, and experience;

و شایستگی ها ، مهارت ها و تجربيات آنها: انسانی داراییهای

6) Intangibles, such as reputation and image of the organization.

مانند شهرت و وجهه سازمان: نا ملموس داراییهای

1. Source(ISO 27002 page 19)


10 Information Security

• Confidentiality: the property that information is not made available or disclosed to unauthorized

individuals, entities, or processes

عدم دسترسی افراد غيرمجاز به اطالعات ویژگی: محرمانگی

• Integrity : the property of safeguarding the accuracy and completeness of assets یکپارچگی :

صحت و تماميت اطالعات ویژگی

• Availability : the property of being accessible and usable upon demand by an authorized entity

امکان دسترسی و استفاده از اطالعات در صورت درخواست یک موجودیت مجاز ویژگی: دسترس پذیری

CIA


Info. Sec. Management System امنيت اطالعاتسیستم مدیریت

PDCA Cycle


12

مدیریتمدل فرایندی

Mng Process Model

Continual improvement of the management system بهبود مداوم سيستم مدیریت

Interested

Parties

ذینفعان

I.S. rrequirements

& expectations

الزامات و انتظارات

Establish

استقرار

Implement & operate

پياده سازی و اجراMaintain & improve

نگهداری و بهبود

Monitor & review پایش و بازنگری

Plan Interested برنامه ریزی

Parties

ذینفعان

Managed

information

Security

امنيت اطالعات مدیریت شده

Act اقدام

Check چک

Do اجرا


PDCA Cycle’s ROLE 13

Plan Do

Act Check

ISMS

Results

Baseline Performance

Improvement Objective

Improve Process

through PDCA Cycle

Measure/Monitor Results Against Objectives - Improve Process and Change ISMS as Needed to

Achieve and Sustain Desired Results

ISMS Standards

استانداردها


27000 Series

Title عنوان

ISO27000 Vocabulary & Fundamentals و واژگان مفاهيم

ISO27001 Requirements الزامات

ISO27002 Code of Practice

(Already known as ISO17799) راهنمای عملکرد

(شناخته می شد ISO17799با عنوان قبال)

ISO27003 Implementation guidance پياده سازی راهنمای

ISO27004 Metrics & measurement ها و اندازه گيری کنترل ها شاخص

ISO27005 Guidelines for Risk Management راهنمای مدیریت ریسک

ISO27006 Assessment and certification الزامات ارزیابی و صدور گواهينامه

ISO27007 Guidelines for auditing ISMS راهنمای مميزی ISMS

ISO27008 Guidance on auditing information

security controls کنترل ها راهنمای مميزی


ISMS-related Standards

Title عنوان

ISO/IEC TR 13335 Guideline for management of IT

security ITراهنمای مدیریت امنيت

ISO19011 Guideline for auditing Mng Systems راهنمای مميزی سيستم های مدیریتی

ISO17021 Requirements for assessment and

certification bodies گواهينامه الزامات نهادهای ارزیابی و صدور

ISO 27001 History


ISO27001

History تاریخچه

1993 Industry working group was initiated and code of practice issued

1995 BS7799-1 was formalized

1998 BS7799-2 was formalized

1999 BS7799-1 & BS7799-2 were published

2000 ISO17799:2000 superseded BS7799-1:1999

2002 BS7799-2:2002 superseded BS7799-2:1999

2005 ISO27001:2005 superseded BS7799-2:2002

ISO17799:2005 superseded ISO17799:2000

2007 ISO27006:2007 is formalized

ISO17799:2005 was renamed ISO27002

2008 ISO27005:2008 is formalized

Time

ISO 27001 STRUCTURE


ISO27001:2005

Intro

مقدمه

0

Scope

دامنه

1

Norm. Refer.

استاندارد

هایمرجع

2

Terms &

Defin.

تعاریف و واژگان

3

ISMS سيستم مدیریت امنيت اطالعات

4

Management Responsibility مسئوليت مدیریت

5

Internal Audit مميزی داخلی

6

Management Review of ISMS بازنگری مدیریت

7

ISMS Improvement بهبود

8

P

D

C

A

An

ne

x A

. C

on

tro

l O

bje

ctive

s &

Co

ntr

ols

An

ne

x B

. O

EC

D P

rin

cip

les.

An

ne

x C

C

orr

esp

on

dence t

o 9

k &

14

k


21 ISO27001- Annex A

A.5 خط مشی امنیت

A.6 ساختار امنيت اطالعات

A.7 مدیریت دارایی ها

A.8

ع ابمن

ت ني

ما

یانس

ان

A.9

و ی

کزی

فيت

نيما

یط

حيم

A.1

0

ت

طابا

رت ات

ریدی

مت

يامل

عو

A.1

1

ی س

ترس

دل

ترکن

ها

A.1

2

یاردهگ ن،

دری

خ

و د

بوهب

ی ها

مست

سيی

اتعال

ط ا

A.13 مدیریت رویدادهای امنيت اطالعاتی

A.14 مدیریت تداوم حيات سازمانی

A.15 انطباق


22

ISO27001-

Annex A /// ISO27002

ISO27001

Objectives


24 Risk Management

Risks ریسک ها

Residual

Risks

ریسکهای باقی مانده

Safeguards

قدامات ا کنترلی


25 Continual Improvement

ISMS IMPLEMENTATION Process

Exercise: Identifying relevant

controls


Implementation Process


Implementation Process

ISMS CERTIFICATION


Certification

The value of certification is

that is established by an impartial and competent

assessment by a third-party.

(Clause 4.1.2)


Mng Sys Certification

Bodies

IAF

Accreditation Bodies

RvA ANAB Dakks . . . . . . . . . UKAS NACI

Certification Bodies

BSI UL TUV . . . . . . . . . DNV NIS

Clients

Shell HP IBM . . . . . . . . . Google NIOC

17021+

17021 + 1

7021

+

17021

+

22000 9001+14001 27001 9001

ISO


Contract

Stage 1 Audit

Stage 2 Audit

Certification/ Registration

Surveillance Audit 1

Surveillance Audit 2

Certification Process

Initia

l Audit

Pre Audit

ISO 17021

N Y

Stage 2

Stage 1

Ready 4

Stage 2?

NCs

Y

Surveillance 1

Certification

NCs

Surveillance 1

NCs

Y

Y

NC

Closing

Process

N

Re-Certification N

Rest of Certification

Cycle

N

Sanctions

Y

Y

Certification Cycle

Overview of ISO/IEC 17021

ISMS Implementation & Certification CHALLENGES + Tips


35

• Wrong scoping

• Wrong estimation of time and costs

• Change Fear/resistance

• Intra-Organizational Competitions

• Problematic steering

Common

Implementation

Challenges

•Lack of Management commitment

•Ignorance of external parties issues

•Inappropriate Risk Assessment

•Lack of proactive approach

Common

CERTIFICATION

Challenges

(NC Root-Causes)

ISMS Implementation & Certification CHALLENGES



Wrong

SCOPING 1

Tips:

- Use Gap Analysis

- Prioritize

- Initial Scope can

be extended later

SCOPE



Wrong

Time & Cost Estimation 2 Tips:

- Benchmark

- Initial Study / Gap Analysis

- Prepare for worst scenario



Fear/resistance to

CHANGE 3 Reasons

1- Misunderstanding about the need for change

2- Fear of the unknown

3-Lack of competence

4-Connected to the old way

5-Low trust

6-Temporary fad

7-Not being consulted

8-Poor communication

…



Fear/resistance to

CHANGE 3 Reactions to Change



Fear/resistance to

CHANGE 3

58%

49%

35%

33%

32%

20%

18%

16%

15%

12%

8%

Changing mindsets and attitudes

Corporate culture

Complexity is underestimated

Shortage of resources

Lack of commitment of higher …

Lack of change know how

Lack of transparency because of …

Lack of motivation of involved employees

Change of process

Change of IT systems

Technology barriers

Key barriers to successful change IBM Survey



Fear/resistance to

CHANGE 3

92%

72%

70%

65%

55%

48%

38%

36%

33%

19%

Top management sponsorship

Employee involvement

Honest and timely communication

Corporate culture that motivates and …

Change agents (pioneers of change)

Change supported by culture

Efficient training programs

Adjustment of performance measures

Efficient organization structure

Monetary and non-monetary incentives

Key ingredients for successful change IBM Survey



Fear/resistance to

CHANGE 3 Change Management Steps



Problematic

Intra-Org Competitions 4

Tips:

- Know about “Conflict Management”

- Identify in advance and Manage

during the implementation phase



Inappropriate

Steering 5 Tips:

- Use a experienced & qualified consultant

- Get enough trainings



Lack of

Management commitment 6

Tips:

- Not to show off

- Long Term Look (Think of more than 1

contract)



Ignorance of

External Parties Issues 7

Tips:

- Define and Follow SLAs/OLAs before RA



Inappropriate

RISK ASSESSMENT 8 Tips:

- Solid Procedure

- Cross Functional Team

- Owner



Loss of

Initial Driver 9

Tips:

- Act Flexibly and as needed


با تشكر

با تشكر

[email protected]

ISMS Implementation and Certification CHALLENGESdnsl.ce.sharif.edu/abs/ISMS_challenges.pdf5/49 H.Teimoori ISMS Implementation & Certification Challenges Information 5 Information is

Documents