llllllllll ll l l l l l l l l l l l l l l l l l l l l l l l l l l l l llll ll ll ll l ll l ll l l ll l ll ll l ll l l l l ll ll ll l l l l l l l ll ll l l ll l ll l l ll l l l ll l l l l l l ll l l l l ll l l l ll l l l l l l ll l l ll l l l l l l l l ll l l l l l l l l l l l l l l l l l l l ll ll l ll l l l l l l l l ll l ll ll l ll ll l l l ll l ll l l l l l l ll l l l ll l l l l l l ll l l ll l ll l l ll l l ll l l l ll l ll l l l l ll l l l l ll l l l l ll l l l l ll l l ll l l ll l l l l l ll ll ll ll ll ll l l l ll l l l l l l l l ll l l l ll l l l ll l l l l l l l l l ll l l l l l l l l l l ll l l l Certified ISO/IEC 27001 Foundation Participant Handbook Information Security Training
40
Embed
ISO 27001 Foundation Course Student Handbook - ITpreneurs
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.
The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.
Certified ISO/IEC 27001 | Foundation | Participant Handbook
The objective of the exam is to assure that candidate has the basic knowledge and skills to participate in the implementation of an Information Security Management System (ISMS) based on ISO 27001.The exam only contains essay questionsThe participants have the right to use all their documentationThe exam lasts 1 hourMinimum passing score: 70%
7
Examination and CertificationExam
8
ISO 27001 FoundationPrerequisites for Certification
Pass the exam
Adhere to the PECB Code of Ethics
No professional experience required
No security experience required
1234
ISO 27001 Foundation
Certified ISO/IEC 27001 | Foundation | Participant Handbook
The organization must comply to the applicable laws and regulationsIn most countries, the implementation of an ISO standard is a voluntary decision of the organization, not a legal conditionIn all cases, laws take precedence over standards
ISO 27001 can be used to comply to several laws and regulations
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Section 3 Information Security Management System (ISMS)
1. Definition of an ISMS
2. Process approach
3. Structure of the ISO 27001 standard
4. Overview – Clauses 4 to 8
5. Annex A
6. Implementation methodology
26
Information Security Management System
ISO 27001, clause 3.7
“ That part of the overall management system,based on a business risk approach, to establish,implement, operate, monitor, review, maintain andimprove information security ”
Note : The management system includesorganizational structure, policies, planning activities,
responsibilities, practices, procedures, processes and resources
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Implement the controls and define how to measure the effectiveness of the selected controls
Manage ISMS operations daily
Define the plan (actions, resources, responsibilities, priorities, objectives) and put it in place
Set in place a training and awareness program
Set in place an incident management process to detect and treat them rapidly
RiskTreatment
Plan
Implement the
controls
ISMS Management
Incident Management
Training & Awareness
Implement the ISMS
30
Documentation requirementsISO 27001, clause 4.3
Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and ensure that the recorded results are reproducibleIt is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives
ISO 27001, clause 4.3.1
ISMS Policy and Objectives
Slide 31
Certified ISO/IEC 27001 | Foundation | Participant Handbook
2. Regular review of the effectiveness of the ISMS taking into account the feedback and suggestions of interested partied
4. Review of risk assessments
1. Monitoring and review of detection and security event prevention procedures
3. Measurement of the effectiveness of controls
6. Management review and update of security plans
5. Conducting the internal audits
ISMS Monitoring and ReviewISO 27001, clause 4.2.3
Note: Each of these actions must be documented and recorded
ISMS monitoring and review
32
Management responsibilityISO 27001, clause 5
5.1. Management commitmentManagement shall provide evidence of its commitment to the ISMS
5.2.1 Make resources available
5.2.2 Training, awareness & competency
Management shall determine and provide the necessary resources for the ISMS
Management shall ensure that personnel who have been assigned responsibilities defined in the ISMS have the necessary competencies to perform the required tasks
Certified ISO/IEC 27001 | Foundation | Participant Handbook
The organization shall continually improvethe effectiveness of the ISMS through theuse of the information security policy,information security objectives, audit results,analysis of monitored events, corrective andpreventive actions, and management reviewemmmmmmmmmmmmmmmmmmmmmmeeeeeeeeeennnnnnnnntttttttttt rrrrrrrrreeeeeeeeevvvvvvvvviiiiiiiiieeeeeeeeeewwwwwwwww
36
ISO 27001, Annex A
A 5 Security policyA 6 Organization of information securityA 7 Asset managementA 8 Human resources securityA 9 Physical and environmental securityA 10 Communications and operations managementA 11 Access controlA 12 Information systems acquisition, development and maintenanceA 13 Information security incident managementA 14 Business continuity managementA 15 Compliance
ISO 27002 Domains
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Understanding the organization and clarifying the information security objectivesISO 27003, clause 5.2 and ISO 27005, clause 7
Input
General information about the organizationStrategic objectives of the organizationList of applicable laws, contracts and signed agreements
ActionsEstablish and analyze the external and internal environmentClarify the objectives of information securityIdentify and analyze the applicable requirements of the ISMS
Output
Brief description of the organizationList of stake-holdersObjectives, priorities and requirements related to ISMSList of applicable legal, regulatory and contractual obligationsPreliminary Scope
42
List of activitiesUnderstanding the organization, determination of the objectives and security policies
Initiatingthe ISMS
1. Mission, objectives,
values, strategies
5. IT Infrastructure4. Key processes and activities
9. Definition of scope
6. Interested parties
3. Internalenvironment
7. Legal, regulatory & contractual
requirements
11. Security and ISMS Policy
8. Clarification of the objectives
2. External environment
10. Gap Analysis
Certified ISO/IEC 27001 | Foundation | Participant Handbook
2. Introduction•The information and processes, systems and networks that enable the treatment of important assets for [ABC] in carrying out i ts business mission.• [ABC] should ensure respect for the integrity, confidentiality and availability of information generated or stored within the scope of the
ISMS.• [ABC] shall ensure the protection of its information assets against threats internal or external, accidental or deliberate.
3. Scope of the ISMS• This policy supports the security policy and the information security policy.• This policy applies to all activities of [ABC] shall included in the scope of the management system of information security.
4. Objectives of the policy• Ensure continuity of critical business activities.• Ensure that all information processed, stored, traded or released by the organization is of absolute integrity.• Ensure that all information relevant to the organization will be monitored and stored according to procedures for maintaining
appropriate confidentiality.• Ensure the selection of appropriate and proportionate security controls to protect the assets and give confidence to the interested
parties.• Ensure effective and efficient management of information security.
5. Principles of the ISMS policy• [ABC] shall establish, implement, operate, monitor, review, maintain and improve an ISMS based on a documented approach to risk
related with the activity and compliance with all requirements of ISO/IEC 27001.• [ABC] should take into account all legal, regulatory and contractual requirements in the management of the ISMS in order to avoid
breaching its legal, statutory, regulatory or contractual obligations and security requirements.• The legal and regulatory requirements will be met in priority, even if they are inconsistent with the policy described here.• [ABC] shall establish and implement a risk management program documented in accordance with the requirements of ISO/IEC
27001. Criteria for evaluation and acceptance of risk must be established, formalized and approved by management.• This policy has been approved by management and is subject to an annual review.
50
Example of the Information Security PolicyModel (extract)
1. Policy Summary • Information should always be protected, whatever its form and however it is shared, communicated or stored.
2. Introduction • Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or
by using electronic means, shown on films, or spoken in conversation. • Information security is the protection of information from a wide range of threats in order to ensure business
continuity, minimize business risk, and maximize return on investments and business opportunities. 3. Scope
• This policy supports the organization’s general security policy. • This policy applies to all of the organization.
4. Information Security Objectives • Strategic and operational information security risks are understood and treated to be acceptable to the organization. • The confidentiality of customer information, product development and marketing plans is protected. • The integrity of accounting records is preserved. • Public web services and internal networks meet specified availability standards.
5. Information Security Principles • This organization encourages risk-taking and tolerates risks that might not be tolerated in conservatively managed
organizations provided that information risks are understood, monitored and treated when necessary. Details of the approach taken to risk assessment and treatment are found in the ISMS policy.
• All staff will be made aware and accountable for information security as relevant to their job-role. • Provision will be made for funding information security controls in operational and project management
processes. • Possibilities for fraud associated with abuse of information systems will be taken into account in the overall
management of information systems. • Information security status reports will be available. • Information security risks will be monitored and action taken when changes result in risks that are not acceptable. • Criteria for risk classification and risk acceptability are found in the ISMS policy. • Situations that could place the organization in breach of laws and statutory regulations will not be tolerated .
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Example of specific policiesExample of a policy on e-mail use
1. Policy Summary • The email system is a resource belonging to the company and is available to users for business purposes.• The occasional and not abusive emails for personal use are tolerated only insofar as they are made during the free time of the user
and only if they do not impair the performance of his work.2. Introduction • All outgoing email from the company may be identified as part of its public image, so an email management is necessary
to avoid that users will eventually tarnish this image.• This policy aims to regulate the use of emails for all users as part of their work.3. Scope • This policy covers appropriate use of any email sent with the email address of the company.• This policy applies to all employees, members of management and contract personnel using a corporate email address
provided by the company.4. Information Security Objectives • Preventing the public image of the company being tainted by improper use or inadequate corporate email addresses made
available to stakeholders.• To prevent the risks of junk email (spam) arising from improper use of email both internally and by third parties related to
the company or even outside bodies.5. Information Security Principles • Prohibited Use: The corporate email address will not be used for purposes being offensive, insulting or racism. Any user
who finds this type of use in the hands of one of his colleagues should immediately inform the directly responsible.• Personal: The reasonable use of company resources for personal purposes is acceptable but not professional emails will
be saved and filed in directories different from those used for business purposes. It is also forbidden to pass on chain emails or jokes. This prohibition also applies to relay emails that were received from colleagues.
• Monitoring: Users know they have no privacy about the work emails stored or sent through their systems. The company will monitor the messages circulating on its infrastructure without prior notification without being obliged to make this continuous surveillance or even obligatory.
• Penalties: Any user who violates this policy using the email may be subject to disciplinary action including dismissal or final termination of his contract in the case of contract personnel
52
ISO 27001 Foundation trainingSection 5Selection of the approach and methodology for risk assessment and identification of risk
1. Approach to risk assessment
2. Methodology for risk assessment
3. Identification of assets with their owners
4. Identification of threats
5. Identification of existing security controls
6. Identifying vulnerabilities
7. Identifying the consequences
Certified ISO/IEC 27001 | Foundation | Participant Handbook
Selection of the approach and methodology for risk assessmentISO 27001, clause 4.2.1c and 27005, clause 7
Input
• All relevant information on the organizationfor the implementation of risk management
• Scope• ISMS Policy
Activities• Choose the risk
assessment approach
• Choose the risk assessment methodology
• Define criteria for risk acceptance
• Identify acceptable levels of risk
• Plan the activities
Output• Description of the
risk assessment approach
• Description of the risk assessment methodology
• Criteria for risk acceptance
• Description of levels of acceptable risk
• Activity Planning
54
Information security riskISO 27005, clause 3.2 and ISO 27000, clause 2.24
Potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organizationNote: it is measured in terms of a combination of the likelihood of an event and its consequence.
Certified ISO/IEC 27001 | Foundation | Participant Handbook
List of activitiesSelecting an approach and methodology for risk assessment
Understanding the organization
3. Riskassessmentcriteria
1. Riskassessment approach
Identify the risks
2. Riskassessmentmethodology
Scope
4. Acceptablerisk levels
58
1. Selecting an approach to risk estimationISO 27005, clause 8.2.2.1
Qualitative estimation:Qualitative estimation uses a scale of qualifying attributes to describe the magnitude of potential consequences (e.g. Low, Medium and High) and the likelihood that those consequences will occur.
Quantitative estimation: Quantitative estimation uses a scale with numerical values (rather than the descriptive scales used in qualitative estimation) for both consequences and likelihood, using data from a variety of sources.
Certified ISO/IEC 27001 | Foundation | Participant Handbook
2. Selecting a risk assessment methodologyCriteria to take in account
1 Compatibility with all criteria required by ISO 27001
2 Language of the method - it is essential to master the vocabulary used
3 Existence of software tools facilitating the use
4 Documentation, training, support, skilled personnel available
5 Ease and pragmatic use of the method
6 Cost of utilization
7 Existence of comparison material (metrics, case studies, etc.)
60
Risk Management MethodologiesList of the most used tools available
Method Origin Brief description of the phases
OCTAVE U.S.(CERT)
The profiling of the security needs, the study of vulnerabilities and development strategy and security plan
CRAMM U.K.(SIEMENS)
The definition of assets put at risk, risk analysis and vulnerability and the identification and selection of security controls
MICROSOFT U.S.(Microsoft)
The assessment of risk, decision support, the establishment of controls and measurement of program effectiveness
EBIOS France(DCSSI )
The study of the context, defining the security needs, the study of threats and identifying security objectives and determining the security requirements
MEHARI France (CLUSIF)
The analysis and classification of the critical assets, the diagnosis of security services, risk analysis and definition of security plans
Certified ISO/IEC 27001 | Foundation | Participant Handbook
3. Identification of existing controls 27005, clause 8.2.1.4
In the initiation phase of ISMS, if the organization, has conducted agap analysis, it already has data on existing security controls.To gather the appropriate information in the organization, thefollowing may be helpful:1. Examination of documents containing information on security controls