چالش هاينامه ي اخذ گواهياده سازي و پيعات مدیریت امنيت اط نظامISMS Implementation and Certification CHALLENGES
چالش هاي
پياده سازي و اخذ گواهينامه ي
نظام مدیریت امنيت اطالعات
ISMS Implementation and Certification CHALLENGES
ISMS Implementation & Certification Challenges H.Teimoori 2/49
Presenter
• ISMS Lead Auditor
• ISMS Lead Tutor (IRCA Approved)
• +200 Audits
• Hossein Teimoori
ISMS Implementation & Certification Challenges H.Teimoori 3/49
Content
• ISMS Definitions
• ISMS Standards
• ISMS History
• ISO 27001 Structure
• ISMS Implementation process
• Certification
• Implementation Process
• Certification cycle
• ISMS Implementation & Certification Challenges + Tips
تعاريف
Definitions
ISMS Implementation & Certification Challenges H.Teimoori 5/49
5 Information
Information is an asset that, like other important business assets, is essential to an organization ‘s business and consequently needs to be suitably protected.
کار و کسب برای سازمان مهم های دارایی سایر مانند که است سازمانی دارایی یک .شود محافظت مناسبی نحو به بایستی می منتيجه در و بوده ضروری آن (ماموریت)
ISMS Implementation & Certification Challenges H.Teimoori 6/49
Information Formats
• Printed or written on paper روی کاغذ
• Stored electronically ذخیره شده بصورت الکترونیکی
• Transmitted by post or electronic means قابل انتقال بوسیله ی پست یا
ابزارهای الکترونیکی
• Shown on corporate videos قابل پخش بصورت فیلم های ویدئویی
• Verbal - spoken in conversations قابل صحبت شدن
• ‘… Whatever form the information takes, or means by which it is
shared or stored, it should always be appropriately protected.’
Source: ISO 27002:2007
ISMS Implementation & Certification Challenges H.Teimoori 7/49
7 Information Lifecycle
ایجاد
Creation
استفاده
Use
امحا
Destruction
ISMS Implementation & Certification Challenges H.Teimoori 8/49
8 Info. Assets Types
1. Information: databases and data files, contracts and agreements, system documentation,
research information, user manuals, training material, operational or support procedures,
business continuity plans, fallback arrangements, audit trails, and archived information;
بانک های اطالعاتی ، قراردادها و توافقنامه ها ، مستندات سيستمی ، اطالعات : اطالعاتی داراییهای
پژوهش ها ، راهنماهای استفاده ، مواد آموزشی ، روشهای اجرایی ، طرح های تداوم حيات سازمانی
، اطالعات آرشيو شده
1. Software assets: application software, system software, development tools, and utilities;
. . .نرم افزارهای سيستمی ، کاربردی ، : نرم افزاری داراییهای
2. Physical assets: computer equipment, communications equipment, removable media and
other equipment;
تجهيزات کامپيوتری و ارتباطی ، وسایل ارتباطی و سایر تجهيزات: فیزیکی داراییهای
1. Source(ISO 27002 page 19)
ISMS Implementation & Certification Challenges H.Teimoori 9/49
9 Info. Assets Types
4) Services: computing and communications services, general utilities, e.g. heating, lighting
power, and air-conditioning;
سرویس های ارتباطی و محاسباتی ، تجهيزات عمومی مانند سيستم : خدماتی داراییهای
. . . گرمایش ، نور ، تهویه هوا
5) People, and their qualifications, skills, and experience;
و شایستگی ها ، مهارت ها و تجربيات آنها: انسانی داراییهای
6) Intangibles, such as reputation and image of the organization.
مانند شهرت و وجهه سازمان: نا ملموس داراییهای
1. Source(ISO 27002 page 19)
ISMS Implementation & Certification Challenges H.Teimoori 10/49
10 Information Security
• Confidentiality: the property that information is not made available or disclosed to unauthorized
individuals, entities, or processes
عدم دسترسی افراد غيرمجاز به اطالعات ویژگی: محرمانگی
• Integrity : the property of safeguarding the accuracy and completeness of assets یکپارچگی :
صحت و تماميت اطالعات ویژگی
• Availability : the property of being accessible and usable upon demand by an authorized entity
امکان دسترسی و استفاده از اطالعات در صورت درخواست یک موجودیت مجاز ویژگی: دسترس پذیری
CIA
ISMS Implementation & Certification Challenges H.Teimoori 11/49
Info. Sec. Management System امنيت اطالعاتسیستم مدیریت
PDCA Cycle
ISMS Implementation & Certification Challenges H.Teimoori 12/49
12
مدیریتمدل فرایندی
Mng Process Model
Continual improvement of the management system بهبود مداوم سيستم مدیریت
Interested
Parties
ذینفعان
I.S. rrequirements
& expectations
الزامات و انتظارات
Establish
استقرار
Implement & operate
پياده سازی و اجراMaintain & improve
نگهداری و بهبود
Monitor & review پایش و بازنگری
Plan Interested برنامه ریزی
Parties
ذینفعان
Managed
information
Security
امنيت اطالعات مدیریت شده
Act اقدام
Check چک
Do اجرا
ISMS Implementation & Certification Challenges H.Teimoori 13/49
PDCA Cycle’s ROLE 13
Plan Do
Act Check
ISMS
Results
Baseline Performance
Improvement Objective
Improve Process
through PDCA Cycle
Measure/Monitor Results Against Objectives - Improve Process and Change ISMS as Needed to
Achieve and Sustain Desired Results
ISMS Standards
استانداردها
ISMS Implementation & Certification Challenges H.Teimoori 15/49
27000 Series
Title عنوان
ISO27000 Vocabulary & Fundamentals و واژگان مفاهيم
ISO27001 Requirements الزامات
ISO27002 Code of Practice
(Already known as ISO17799) راهنمای عملکرد
(شناخته می شد ISO17799با عنوان قبال)
ISO27003 Implementation guidance پياده سازی راهنمای
ISO27004 Metrics & measurement ها و اندازه گيری کنترل ها شاخص
ISO27005 Guidelines for Risk Management راهنمای مدیریت ریسک
ISO27006 Assessment and certification الزامات ارزیابی و صدور گواهينامه
ISO27007 Guidelines for auditing ISMS راهنمای مميزی ISMS
ISO27008 Guidance on auditing information
security controls کنترل ها راهنمای مميزی
ISMS Implementation & Certification Challenges H.Teimoori 16/49
ISMS-related Standards
Title عنوان
ISO/IEC TR 13335 Guideline for management of IT
security ITراهنمای مدیریت امنيت
ISO19011 Guideline for auditing Mng Systems راهنمای مميزی سيستم های مدیریتی
ISO17021 Requirements for assessment and
certification bodies گواهينامه الزامات نهادهای ارزیابی و صدور
ISO 27001 History
ISMS Implementation & Certification Challenges H.Teimoori 18/49
ISO27001
History تاریخچه
1993 Industry working group was initiated and code of practice issued
1995 BS7799-1 was formalized
1998 BS7799-2 was formalized
1999 BS7799-1 & BS7799-2 were published
2000 ISO17799:2000 superseded BS7799-1:1999
2002 BS7799-2:2002 superseded BS7799-2:1999
2005 ISO27001:2005 superseded BS7799-2:2002
ISO17799:2005 superseded ISO17799:2000
2007 ISO27006:2007 is formalized
ISO17799:2005 was renamed ISO27002
2008 ISO27005:2008 is formalized
Time
ISO 27001 STRUCTURE
ISMS Implementation & Certification Challenges H.Teimoori 20/49
ISO27001:2005
Intro
مقدمه
0
Scope
دامنه
1
Norm. Refer.
استاندارد
هایمرجع
2
Terms &
Defin.
تعاریف و واژگان
3
ISMS سيستم مدیریت امنيت اطالعات
4
Management Responsibility مسئوليت مدیریت
5
Internal Audit مميزی داخلی
6
Management Review of ISMS بازنگری مدیریت
7
ISMS Improvement بهبود
8
P
D
C
A
An
ne
x A
. C
on
tro
l O
bje
ctive
s &
Co
ntr
ols
An
ne
x B
. O
EC
D P
rin
cip
les.
An
ne
x C
C
orr
esp
on
dence t
o 9
k &
14
k
ISMS Implementation & Certification Challenges H.Teimoori 21/49
21 ISO27001- Annex A
A.5 خط مشی امنیت
A.6 ساختار امنيت اطالعات
A.7 مدیریت دارایی ها
A.8
ع ابمن
ت ني
ما
یانس
ان
A.9
و ی
کزی
فيت
نيما
یط
حيم
A.1
0
ت
طابا
رت ات
ریدی
مت
يامل
عو
A.1
1
ی س
ترس
دل
ترکن
ها
A.1
2
یاردهگ ن،
دری
خ
و د
بوهب
ی ها
مست
سيی
اتعال
ط ا
A.13 مدیریت رویدادهای امنيت اطالعاتی
A.14 مدیریت تداوم حيات سازمانی
A.15 انطباق
ISMS Implementation & Certification Challenges H.Teimoori 22/49
22
ISO27001-
Annex A /// ISO27002
ISO27001
Objectives
ISMS Implementation & Certification Challenges H.Teimoori 24/49
24 Risk Management
Risks ریسک ها
Residual
Risks
ریسکهای باقی مانده
Safeguards
قدامات ا کنترلی
ISMS Implementation & Certification Challenges H.Teimoori 25/49
25 Continual Improvement
ISMS IMPLEMENTATION Process
Exercise: Identifying relevant
controls
ISMS Implementation & Certification Challenges H.Teimoori 27/49
Implementation Process
ISMS Implementation & Certification Challenges H.Teimoori 28/49
Implementation Process
ISMS CERTIFICATION
ISMS Implementation & Certification Challenges H.Teimoori 30/49
Certification
The value of certification is
that is established by an impartial and competent
assessment by a third-party.
(Clause 4.1.2)
ISMS Implementation & Certification Challenges H.Teimoori 31/49
Mng Sys Certification
Bodies
IAF
Accreditation Bodies
RvA ANAB Dakks . . . . . . . . . UKAS NACI
Certification Bodies
BSI UL TUV . . . . . . . . . DNV NIS
Clients
Shell HP IBM . . . . . . . . . Google NIOC
17021+
17021 + 1
7021
+
17021
+
22000 9001+14001 27001 9001
ISO
ISMS Implementation & Certification Challenges H.Teimoori 32/49
Contract
Stage 1 Audit
Stage 2 Audit
Certification/ Registration
Surveillance Audit 1
Surveillance Audit 2
Certification Process
Initia
l Audit
Pre Audit
ISO 17021
N Y
Stage 2
Stage 1
Ready 4
Stage 2?
NCs
Y
Surveillance 1
Certification
NCs
Surveillance 1
NCs
Y
Y
NC
Closing
Process
N
Re-Certification N
Rest of Certification
Cycle
N
Sanctions
Y
Y
Certification Cycle
Overview of ISO/IEC 17021
ISMS Implementation & Certification CHALLENGES + Tips
ISMS Implementation & Certification Challenges H.Teimoori 35/49
35
• Wrong scoping
• Wrong estimation of time and costs
• Change Fear/resistance
• Intra-Organizational Competitions
• Problematic steering
Common
Implementation
Challenges
•Lack of Management commitment
•Ignorance of external parties issues
•Inappropriate Risk Assessment
•Lack of proactive approach
Common
CERTIFICATION
Challenges
(NC Root-Causes)
ISMS Implementation & Certification CHALLENGES
ISMS Implementation & Certification Challenges H.Teimoori 36/49
ISMS Implementation & Certification CHALLENGES
Wrong
SCOPING 1
Tips:
- Use Gap Analysis
- Prioritize
- Initial Scope can
be extended later
SCOPE
ISMS Implementation & Certification Challenges H.Teimoori 37/49
ISMS Implementation & Certification CHALLENGES
Wrong
Time & Cost Estimation 2 Tips:
- Benchmark
- Initial Study / Gap Analysis
- Prepare for worst scenario
ISMS Implementation & Certification Challenges H.Teimoori 38/49
ISMS Implementation & Certification CHALLENGES
Fear/resistance to
CHANGE 3 Reasons
1- Misunderstanding about the need for change
2- Fear of the unknown
3-Lack of competence
4-Connected to the old way
5-Low trust
6-Temporary fad
7-Not being consulted
8-Poor communication
…
ISMS Implementation & Certification Challenges H.Teimoori 39/49
ISMS Implementation & Certification CHALLENGES
Fear/resistance to
CHANGE 3 Reactions to Change
ISMS Implementation & Certification Challenges H.Teimoori 40/49
ISMS Implementation & Certification CHALLENGES
Fear/resistance to
CHANGE 3
58%
49%
35%
33%
32%
20%
18%
16%
15%
12%
8%
Changing mindsets and attitudes
Corporate culture
Complexity is underestimated
Shortage of resources
Lack of commitment of higher …
Lack of change know how
Lack of transparency because of …
Lack of motivation of involved employees
Change of process
Change of IT systems
Technology barriers
Key barriers to successful change IBM Survey
ISMS Implementation & Certification Challenges H.Teimoori 41/49
ISMS Implementation & Certification CHALLENGES
Fear/resistance to
CHANGE 3
92%
72%
70%
65%
55%
48%
38%
36%
33%
19%
Top management sponsorship
Employee involvement
Honest and timely communication
Corporate culture that motivates and …
Change agents (pioneers of change)
Change supported by culture
Efficient training programs
Adjustment of performance measures
Efficient organization structure
Monetary and non-monetary incentives
Key ingredients for successful change IBM Survey
ISMS Implementation & Certification Challenges H.Teimoori 42/49
ISMS Implementation & Certification CHALLENGES
Fear/resistance to
CHANGE 3 Change Management Steps
ISMS Implementation & Certification Challenges H.Teimoori 43/49
ISMS Implementation & Certification CHALLENGES
Problematic
Intra-Org Competitions 4
Tips:
- Know about “Conflict Management”
- Identify in advance and Manage
during the implementation phase
ISMS Implementation & Certification Challenges H.Teimoori 44/49
ISMS Implementation & Certification CHALLENGES
Inappropriate
Steering 5 Tips:
- Use a experienced & qualified consultant
- Get enough trainings
ISMS Implementation & Certification Challenges H.Teimoori 45/49
ISMS Implementation & Certification CHALLENGES
Lack of
Management commitment 6
Tips:
- Not to show off
- Long Term Look (Think of more than 1
contract)
ISMS Implementation & Certification Challenges H.Teimoori 46/49
ISMS Implementation & Certification CHALLENGES
Ignorance of
External Parties Issues 7
Tips:
- Define and Follow SLAs/OLAs before RA
ISMS Implementation & Certification Challenges H.Teimoori 47/49
ISMS Implementation & Certification CHALLENGES
Inappropriate
RISK ASSESSMENT 8 Tips:
- Solid Procedure
- Cross Functional Team
- Owner
ISMS Implementation & Certification Challenges H.Teimoori 48/49
ISMS Implementation & Certification CHALLENGES
Loss of
Initial Driver 9
Tips:
- Act Flexibly and as needed