ISO27001: Implementation & Certification Process Overview

• 1. ISO27001: Implementation & CertificationProcess OverviewShankar SubramaniyanCISSP,CISM,ABCP,PMP,CEH

2. Agenda Overview and changes in ISO27001:2013 Implementation Approach & Common Challenges in Implementation Certification Process Overview 3. Overview and changes inISO27001:2013 4. Overview Most widely recognized security standard in the world Process based to set up Information Security Management System (ISMS) Framework Addresses Information security across Industries Comprehensive in its coverage of security controlshttp://www.iso.org/iso/home/standards/certification/iso-survey.htm?certificate=ISO/IEC%2027001&countrycode=US#countrypick 5. 5BenefitsCulture and Controls ISO27001 is a culture one has to build in the organization which would help to: Increase security awareness within the organization Identify critical assets via the Business Risk Assessment Provide a framework for continuous improvement Bring confidence internally as well as to external business partners Enhance the knowledge and importance of security-related issues at the management level Combined framework to meet multiple client requirements/compliancerequirementsComplianceCompetitiveAdvantageReduceCostProcessImprovement 6. *ISO27000 Series 27000, Information Security Management System Fundamentalsand vocabulary (13335-1) 27001, Information Security Management System Requirements 27002, Code of Practice for Information Security Management 27003, Information Security Management System Implementationguidelines 27004, Information Security Management Measurements (metrics) 27005, Information Security Risk Management (13335-2)VocabularystandardRequirementstandardsGuidelinestandards2700127005 2700227004* Few are mentioned here.ISO27001 (certified) vs ISO27002 (compliant) 7. ISO 27001 2005 vs 201320131 Scope2 Reference to ISO 17799:20053 Terms & Definitions4 ISMS5 Management Responsibility6 Internal ISMS Audits7 Management Review of ISMS8 ISMS Improvement1 Scope2 Normative references3 Terms and definitions4 Context of the organization5 Leadership6 Planning7 Support8 Operation9 Performance evaluation10 Improvement2005The revised version has a high level structure similar to othermanagement system standards to make integration easier whenimplementing more than one management standards . Revisionaddresses need to align information security management and itsstrategy to the business strategy and make it adaptable for SME* http://www.dionach.nl/blog/iso-27001-2013-transition-0 8. Major Changes Context of the organization Interested parties Interface/boundaries Align Organization strategies with security objective Risk assessment and treatment Asset Register is not mandatory Risk owner & approval SOA control implementation status Objectives, monitoring and measurement Risk treatment and ISMS effectiveness Communication Documented Information Corrective & preventive actionshttp://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/ 9. 2005 Security Policy Organization of Information Security Assets Management Human Resource Security Physical and Environmental Security Communications and Operations Management Access Control Information system acquisition, developmentand maintenance Information Security Incident Management Business Continuity Planning Compliance2013 Information security policies Organization of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development andmaintenance Supplier relationships Information security incident management Information security aspects of businesscontinuity management Compliance11 Clauses(Domains)39 ControlObjectives133 ControlActivities14 Clauses(Domains)35 categories( controlobjectives)114 ControlActivitiesAnnexure A (controls) 10. Annexure A (control structure)A.7 Human resource securityA.7.1 Prior to employmentA.7.2 During Employment14 Clauses(Domains)A.7.1.1 ScreeningA.7.1.2 Terms and Conditions of EmploymentA.7.2.1 Management responsibilitiesA.7.2.2 Information Security awareness, education andtrainingA 7.2.3 Disciplinary process35 categories( controlobjectives)114 ControlActivities 11. New Controls 6.1.4 is Information security in project management 14.2.1 Secure development policy rules fordevelopment of software and information systems 14.2.5 Secure system engineering principles principles for system engineering 14.2.6 Secure development environment establishing and protecting developmentenvironment 14.2.8 System security testing tests of securityfunctionality 16.1.4 Assessment of and decision on informationsecurity events this is part of incidentmanagement 17.2.1 Availability of information processing facilities achieving redundancyControls deleted 6.2.2 Addressing security when dealing with customers 10.4.2 Controls against mobile code 10.7.3 Information handling procedures 10.7.4 Security of system documentation 10.8.5 Business information systems 10.9.3 Publicly available information 11.4.2 User authentication for external connections 11.4.3 Equipment identification in networks 11.4.4 Remote diagnostic and configuration port protection 11.4.6 Network connection control 11.4.7 Network routing control 12.2.1 Input data validation 12.2.2 Control of internal processing 12.2.3 Message integrity 12.2.4 Output data validation 11.5.5 Session time out 11.5.6 Limitation of connection time 11.6.2 Sensitive system isolation 12.5.4 Information leakage 14.1.2 Business continuity and risk assessment 14.1.3 Developing and implementing business continuity plans 14.1.4 Business continuity planning framework 15.1.5 Prevention of misuse of information processing facilities 15.3.2 Protection of information systems audit toolsControl Changes 12. Implementation Process Overview 13. ISMS Process PDCA ModelDefine SecurityPoliciesand ProceduresImplement andmanageSecuritycontrols/processImplement identifiedimprovements,corrective/preventiveactionsReview/ auditsecuritymanagementand controlsPeople Process Technology 14. Implementation ApproachProject Set up & PlanPhase I Baseline Information Security Assessment Identify the scope and coverage of Information Security Assess the current environment Prepare baseline information security assessment reportPhase II Design of Information Security Policy & Procedures Establish Security Organization & Governance Identify information assets and their corresponding information security requirements Assess information security risks and treat information security risks Select relevant controls to manage unacceptable risk Formulate Information security policy & procedures Prepare Statement of ApplicabilityPhase III Implementation of Information Security PolicyPhase IV- Pre Certification Audit14 Implementation of Controls Security Awareness training Review by Internal Audit and Management review Corrective Action and continuous improvement 15. Asset Profiling & Risk Assessment Information Asset, is any information, in any format, used to operate and managebusiness . It includes electronic information, Paper based assets, hardware assets(servers, desktops, other IT equipments) software assets, Equipments and People .Sl.no Asset Location Owner Custodian User Asset NumberRisk Factor = Asset Value * Exposure Factor* Probability of occurrence15 16. Information Security Policy Management DocumentsStatement of ApplicabilityInformation Security Policy Document16Risk AssessmentReportContractualObligationsBusinessRequirementsLegal orRegulatoryRequirementsInformation Security Procedures DocumentInformation Security Guidelines and StandardsInformation Security Awareness Solutions 17. Implementation Cost & TimelineImplementation cost Acquiring knowledge (Training/Consultant) Implementation of process tools & new technology Employees time (Training/ Risk Assessment) Certification bodyImplementation key events Cost Factors17 Number of Sites Number of employees Type of Industry Existing process maturity Number of Servers (IT Landscape) Security Organization Asset Profiling Risk Assessment Policies & ProceduresDevelopment Implementation Awareness Training Internal Audit Management Review 18. Common Implementation Challenges Business alignment (Management support) Allocation of security responsibilities-(IT department is the one who is driving18security) Process and People focus (not just technology) Communication and delivery of policies& procedure (approachability andavailability of policy documents) Adequate deployment IT challenges 19. Certification Process Overview 20. Stage 1 Audit (Desktop/Document Review) Desktop Review (Stage 1 Audit) enables the certifying body to gain anunderstanding of the ISMS in the context of the organizations security policyand objectives and approach to risk management. It provides a focus forplanning out the Stage 2 audit and is an opportunity to check the preparednessof the organization for implementation.20 It includes a documents review: Scope document Security Policy and Procedures Risk Assessment Report Risk Treatment Plan Statement of applicabilitySecurity ManualProceduresWorkInstructions, forms, etc.RecordsPolicy, scoperisk assessment,statement of applicabilityDescribes processes who,what, when, whereDescribes how tasks and specificactivities are doneL2Provides objective evidence ofcompliance to ISMS requirementsL3L4L1Certification Process 21. Mandatory DocumentsList of certification body can be found atAccrediting Body websites likehttp://www.anab.org for USA, For Europe-http://www.ukas.com and http://www.iaf.nufor all accreditation bodyhttp://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/ 22. Certification Process (Contd)Stage 2 Audit (Implementation) Based on Stage 1 Audit Findings the Certification Body produces Stage 2 Audit Plan It takes place at the site of the organization22 The Stage 2 audit covers: Confirmation that the organization is acting in accordance with its own policies,objectives and procedures Confirmation that the ISMS conforms with all the requirements of the ISO27001:2013 standard and is achieving the organization's policy objectivesStage 3 - Surveillance and Recertification The certificate that is awarded will last for three years after which the ISMSneeds to be re-certified. During this period there will be a surveillance audit (e.g. every 6-9 months) After 3 Years one needs to go for recertification. 23. THANK YOUResourceshttp://iso27001security.com/http://www.iso27001standard.com/enEmail: [email protected]