ISO-27

Slide 1

Information Security Management SystemsAn ISO 27001 Introduction

Mahmood Justanieah

ISACA-Jeddah Technical Meeting18-March-2009

Slide 2

19h00 Information Security ISO 27001: 2005 and ISO 27002:2005 Control objectives and controls Deffrinces between ISO 27001 & other Standards

ITIL, Cobit, ISO 2000019h45: Questions & Answers

20h00 Closure

Slide 3

Section 1Information Security

Slide 4

► Compliance requirements, new notification laws and the growing of breaches have made organizations aware they need a structured approach to data security.

►Organizations are increasingly dependent on information assets

► Information users (internal & external) are demanding increased availability

► The number of incidents that threaten the continuity of operations is growing

► A single security breach can:

destroy a company’s Image

depress the value of the business

erode the “bottom line”; and

compromise future earnings

Scenario

Slide 5

► For 2007, per-record compromised costs continued to increase (2007 Annual Study: US Cost of Data Breach- research conducted by Ponemon Institute LLC).

► The average total cost per reporting company was more than 6.3 million US Dollars per breach and ranged between 225.000 to almost 35 million

Data breach costs

Slide 6

Cause of data breach► Lost or stolen laptops and other devices such as USB flash drivers were the

most significant source of a data breach. (2007 Annual Study: US Cost of Data Breach- research conducted by Ponemon Institute LLC)

Slide 7

Risks and Threats

► Data Breach

Media attention

Breach notifications

Brand degradation

Government Agency Audit

► Customer Complaint

Government Agency s finding/order

Litigation

Loss of customer

► Non-Compliance

Restrictions on business activities

Loss of a contract

New privacy controls

Publicly named through a Commissioner’s order or legal proceedings

► Over-Compliance

Unnecessary restrictions on business activities

Decreased customer satisfaction

Competitive disadvantage

Slide 8

Information as an Asset

► Information is:

• ‘An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.’

• Source: ISO/IEC 27002:2005 Section 0.1

► Asset Definition:

• “anything that has value to the organization”

• Source: ISO/IEC 27001:2005, 3.1

Slide 9

Information Security not IT Security

► Information must be protected throughout its entire lifecycle:

Creation

Storage

Processing

Distribution

► Information must be protected independent from its format or media

► Not IT

Paper document (on desks, in waste bins, left on photocopiers)

Whiteboards conversations overheard

Conversations on public transports

………

People

Slide 10

Information Security

► Information Security

• “preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved”

• Source: ISO/IEC 27001:2005

► Confidentiality: Ensuring that information is accessible only to those authorized to have access. Clause 3.3 of ISO/IEC 27001

► Integrity: Safeguarding the accuracy and completeness of information and process methods. Clause 3.8 of ISO/IEC 27001

► Availability: Ensuring that authorized users have access to information and associated assets when required. Clause 3.2 of ISO/IEC 27001

Slide 11

Information Security Management System

► Information Security Management System (ISMS)

That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security

Is a Management Process and Not a technological process

Strategic decision of an organization

• Design and implementation

• Needs and objectives

• Security requirements

• Processes employed

• Size and structure of the organization

• Scaled with ‘needs’

Slide 12

Section 2ISO 27001: 2005 and ISO 27002:2005

Slide 13

The History of ISO 27001

1992The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management'.

1995This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS7799.

1996Support and compliance tools begin to emerge, such as COBRA.David Lilburn Watson becomes the first qualified certified BS7799 Auditor1999The first major revision of BS7799 was published. This included many major enhancements.Accreditation and certification schemes are launched. LRQA and BSI are the first certification bodies.2000In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799).

Slide 14

The History of ISO 27001

2002A second part to the standard is published: BS7799-2. This is an Information Security Management Specification, rather than a code of practice. It begins the process of alignment with other management standards such as ISO 9000.

2005A new version of ISO 17799 is published. This includes two new sections, and closer alignment with BS7799-2 processes..

2005ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a specification for an ISMS (information security management system), which aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001.

Slide 15

ISO 27001

► There are two closely related standards:

• ISO/IEC 27001 is a standard specification for requirements of an Information Security Management Systems (ISMS).

• ISO/IEC 27002:2005 is the standard code of practice and can be regarded as a comprehensive catalogue of good security things to do.

► ISO/IEC 27001

► Specifies requirements:

For establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS

► Designed to:

Ensure adequate security controls to protect information assets, documenting ISMS

Give confidence to customers & interested parties

Slide 16

Other related standards

► ISO/IEC 27006 - Information technology -- Security techniques - Requirements for bodies providing audit and certification of information security management systems

► ISO/IEC FDIS 27011 - Information technology -- Information security management guidelines for telecommunications

► SSE-CMM, Software Security Engineering – Capability Maturity Model, now released as ISO 21827: 2002

Helps organizations determine their security maturity relative to a set of capability metrics

► Under development

• ISO/IEC 27000 - an introduction and overview for the ISMS Family of Standards, plus a glossary of common terms

• ISO/IEC 27003 - ISMS implementation guide

• ISO/IEC 27004 - information security management measurements

• ISO/IEC 27005 - information security risk management

• ISO/IEC 27007 - guideline for auditing ISMSs

• ISO/IEC 27011 - guideline for ISMSs in the telecommunications industry

• ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry

Slide 17

Process Approach

► ISO 27001 has adopted a Process Approach, which means an organization needs to identify and manage many activities in order to function effectively

► Any activity using resources and managed in order to enable the transformation of Inputs into Outputs, can be considered to be a Process

Inputs >>>>>>> Process >>>>>>> outputs**Often, outputs from one process provide inputs into the next

► Process approach for ISMS encourages users to emphasize the importance of:

understanding an organization’s information security requirements and the need to establish POLICY and OBJECTIVES for information security

implementing and operating CONTROLS to manage an organization’s information security risks in the context of the organization’s overall business risks

monitoring and reviewing the performance and effectiveness of the ISMS, and

CONTINUAL IMPROVEMENT based on objective measurement

Slide 18

PDCA► Plan, Do, Check, Act is to be applied to structure all ISMS processes

► Figure illustrates how an ISMS takes the information security requirements and expectations of the interested parties and, through the necessary actions and processes, produces information security outcomes that meets those requirements and expectations

Slide 19

PDCA

► The continuous change of the company, technology and society requires a process of continuously evaluating the effectiveness and efficiency of all security controls and adopting the security system to changing requirements.

► This results in a control loop known as PDCA model:

Plan and implement security controls

Operate security controls

Monitor the security system and the world around you

Initiate necessary change of the security system

Slide 20

Compatibility with other management systems

► ISO 27001 is aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistent and integrated implementation and operation with related management standards.

► ISO 27001 illustrates the relationship between its requirements, ISO 9001:2000 and ISO 14001:2004.

► This International Standard is designed to enable an organization to align or integrate its ISMS with related management system requirements.

….

Slide 21

Compliance to ISO/IEC 27001

►All clauses in ISO/IEC 27001 are mandatory

Risk treatment plan based on risk assessment

Documentation supporting various clauses

Statement of applicability based on scoping, justifying the choice of controls

• Annex A lists mandatory controls to choose from

• Valid justification must be documented to eliminate a control

• Chosen controls must be documented for audit purposes

►Certification to the standard requires that all clauses be implemented

Slide 22

Process Flow for Information Security

Define the information security policy

Define the scope of ISMS

Undertake risk assessment

Manage the risk

Select control objectives and controls to be

implemented

Step 1

Step 2

Step 3Threats, Vulnerabilities, Impacts

Step 4Organization’s approachto risk managementDegree of assurance required

Step 5Control Objectivesand controlsAdditional Controls

Information Security policy

Scope of ISMS

Risk assessment

Areas of risk to be managed

Statement of Applicability

Information Assets

Selected control options

Results and conclusions

Slide 23

Implementation of an ISMS - Plan

► Establish and manage the ISMS

Scope and boundaries

Policy / objectives

Define risk assessment approach

Identify risks

Analyse and evaluate the risks

Identify and evaluate options for treatment of risks

Select control objectives & controls (Annex A)

Obtain management approval of the proposed residual risks

Obtain management authorisation to implement and operate the ISMS

Prepare a Statement of Applicability

Slide 24

Implementation of an ISMS - Do

► Implement and operate the ISMS

Formulate risk treatment plan

Implement risk treatment plan

Define how to measure effectiveness of selected controls

Implement controls selected to meet control objectives

Implement training and awareness

Manage operations and resources

Implement procedures and other controls

Slide 25

Implementation of an ISMS - Check

►Monitor and review the ISMS

Execute monitoring procedures and other controls

Undertake regular reviews of the effectiveness of the ISMS

Measure effectiveness of controls

Review risk assessments at planned intervals

Review level of residual risk and identified acceptable risk

Internal ISMS audits / Management review

Update security plans

Record actions and events

Slide 26

Implementation of an ISMS - Act

►Maintain and improve the ISMS

Implement identified improvements

Take appropriate corrective and preventive actions

Communicate the actions and improvements

Ensure improvements achieve intended objectives

Slide 27

Section 3Control objectives and Controls

Slide 28

“The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it.”

Gene SpaffordDirector, Computer Operations, audit, and Security Technology (COAST - Computer Operations, Audit and Security Technology)Purdue University

Slide 29

Purpose of controls in ISO/IEC 27002/27001

►27002 specifies aspects of an effective information protection program suitable to the needs of business and industry

►Protection in 27002 is based on assuring integrity, availability, and confidentiality of corporate information assets

►Assurance is attained through controls that management creates and maintains within the organization.

►Ten of the controls are considered "Key Controls" because they are either legislatively required or considered fundamental building blocks

Slide 30

ISO 27002 domains

►Security Policy

►Organization of Information Security

►Asset management

►Human resources security

►Physical and environmental security

►Communications and Operations Management

►Access Control

►Information Systems Acquisition, Development and Maintenance

►Information Security Incident Management

►Business Continuity Management

►Compliance

Slide 31

Selection of Controls

► Additional control objectives and controls:

Organization might consider that additional control objectives and controls are necessary

► Not all the controls will be relevant to every situation:

Consider local environmental or technological constraints

In a form that suits every potential user in an organization

Slide 32

Choice of controls►Controls considered to be essential to an organization from a

legislative point of view include:

• intellectual property rights (see 15.1.2)

• safeguarding of organizational records (see 15.1.3)

• data protection and privacy of personal information (see 15.1.4).

►Controls considered to be common best practice for information security include:

• information security policy document (see 5.1.1)

• allocation of information security responsibilities (see 6.1.3)

• information security education and training (see 8.2.2)

• reporting information security events (see 13.1.1)

• Information security aspects of business continuity management (see 14.1)

Slide 33

Section 4Differences with Other Standards

ITIL, ISO 20000, Cobit

Slide 34

Definitions

COBIT

Cobit stands for Control Objective over Information and Related Technology. Cobit issued by ISACA (Information System Control Standard) a non profit organization for IT Governance. The Cobit main function is to help the company, mapping their IT process to ISACA best practices standard. Cobitusually choosen by the company who performing information system audit, whether related to financial audit or general IT audit.

ITIL

ITIL stands for Information Technology Library. ITIL issued by OGC, is a set of framework for managing IT Service Level. Although ITIL is quite similar with COBIT in many ways, but the basic difference is Cobit set the standard by seeing the process based and risk, and in the other hand ITIL set the standard from basic IT service.

Slide 35

ISO27001

ISO27001 is much more different between COBIT and ITIL, because ISO27001 is a security standard, so it has smaller but deeper domain compare to COBIT and ITIL. Here is the detail table of comparison between this three standard

Comparison

AREA COBIT ITIL ISO27001

Function Mapping IT Process

Mapping IT Service Level Management

Information Security Framework

Area4 Process and 34 Domain

9 Process 10 Domain

Issuer ISACA OGC ISO Board

Implementation

Information System Audit

Manage Service Level

Compliance to security standard

Consultant

Accounting Firm, IT Consulting Firm

IT Consulting firm

IT Consulting firm, Security Firm, Network Consultant

Slide 36

Slide 37

Q&A

Slide 38

[email protected]