Uploaded by varinder.sky

ISO 27001 PPT Varinder Kumar

advertisement
ISMS Systematic Approach
Agenda
• ISO 27001 Overview
• ISMS Methodology
• Systematic Approach
• ISMS Auditing
ISO 27001 Overview
ISO 2700x Series Standard
ISO/IEC Std.
Description
27000
Vocabulary and Definitions, free to download
27001
Requirements
27002
Code of Practice
27003
Implementation Guidance
27004
Metrics and Measurements
27005
Risk Management. ISO 31000 is also used on
conjunction with 27005
ISO/IEC 27001 : 2013
Security Policy
Organizing Information Security
Asset Management
Human Resource
Security
Physical & Env.
Security
Comm. & Operation
Management
Access Control
Information Security Incident Management
Business Continuity Management
Compliance
Information Systems
Acquisition,
Development and
Maintenance
ISO 27001 Audit Stages
• Conducted in two stages, both to identify compliance
to ISO 27001:2013
• Audit Stage 1 – Documentation Review
• Audit Stage 2 – Implementation Audit
• Maintain Requirements
•
•
•
•
Continuous Risk Management
Scope Reviews – Changes in business, locations etc.
Internal Audits
External Audits (Surveillance and Certification Audits)
Implementation Methodology
PDCA Approach – ISMS Implementation
Maintain and Improve the
ISMS
Implement the Improvements
Corrective Act. and
Preventive Act. -
Management Review ISMS Metrics -> Control
Effectiveness Review RA Internal Audit -
Info. Sec.
Req. & Exp.
Monitor and Improve the
ISMS
Establish
the ISMS
- Scope
- ISMS policy / Security Org.
- Management Authorization
- GAP Analysis
- RA approach / RA/RT options
- SOA
- C&CO
- Risk Treatment Plan
- Implement selected C&CO
- Define Measurements
- Training and Awareness
Implement and Operate the
ISMS
Continual Improvement of the Management System
Managed
Info. Sec.
Implementation Approach
High Level Certification Plan
Phase II
Phase I
Plan and Manage
Program
• Mobilize Program
Implementation
Certification
• Launch Program
1 Month
2 Months
3 Months
ISO Core Team - Proposed
MR/ISO Lead
IT Team
Audit Team
Consultant
Functional Leads
Service Delivery
Leads
(Support Groups)
(Projects)
SPOCs
SPOCs
Security Committee
Role
The Security Committee is a key driver of our organization’s security aspects. The
Committee needs to meet and review at planned intervals the effectiveness of the
Information Management system. The review shall also include assessing opportunities
for improvement and the need for change. The Committee will be the final authority in
reviewing and taking appropriate action against all information security related risks.
Frequency
At least once in a quarter. However till the time of certification, the Security Committee
will meet regularly since the Committee has to approve all documents and play an active
role in the Risk assessment
Outcomes
Key decision made on the effectiveness on ISMS
Risk Assessment - Phases
“Identifying Information Assets, Assigning values to them and Controlling Risks are
essential ISO27001 requirements“
Asset Identification and Valuation
Categorize Assets
Valuate Assets based on C.I.A.
- Physical Assets
- Information Assets
- Software Assets
- Services
- Voice Information
Confidentiality
Ensuring that information is accessible only
to those authorized to have access.
Integrity
Safeguarding the accuracy and
completeness of information and
processing methods.
Availability
Ensuring that authorized users have access
to information and associated assets when
required.
Asset Valuation Approach – BIA method
Documentation
Mandatory Records
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Scope of the ISMS (clause 4.3)
Information security policy and objectives
(clauses 5.2 and 6.2)
Risk assessment and risk treatment
methodology (clause 6.1.2)
Statement of Applicability (clause 6.1.3 d)
Risk treatment plan (clauses 6.1.3 e, 6.2, and
8.3)
Risk assessment report (clauses 8.2 and 8.3)
Definition of security roles and responsibilities
(clauses A.7.1.2 and A.13.2.4)
Inventory of assets (clause A.8.1.1)
Acceptable use of assets (clause A.8.1.3)
Access control policy (clause A.9.1.1)
Operating procedures for IT management
(clause A.12.1.1)
Secure system engineering principles (clause
A.14.2.5)
Supplier security policy (clause A.15.1.1)
Incident management procedure (clause
A.16.1.5)
Business continuity procedures (clause
A.17.1.2)
Statutory, regulatory, and contractual
requirements (clause A.18.1.1)
Supporting Records
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Procedure for document control (clause 7.5)
Controls for managing records (clause 7.5)
Procedure for internal audit (clause 9.2)
Procedure for corrective action (clause 10.1)
Bring your own device (BYOD) policy (clause
A.6.2.1)
Mobile device and teleworking policy (clause
A.6.2.1)
Information classification policy (clauses
A.8.2.1, A.8.2.2, and A.8.2.3)
Password policy (clauses A.9.2.1, A.9.2.2,
A.9.2.4, A.9.3.1, and A.9.4.3)
Disposal and destruction policy (clauses
A.8.3.2 and A.11.2.7)
Procedures for working in secure areas (clause
A.11.1.5)
Clear desk and clear screen policy (clause
A.11.2.9)
Change management policy (clauses A.12.1.2
and A.14.2.4)
Backup policy (clause A.12.3.1)
Information transfer policy (clauses A.13.2.1,
A.13.2.2, and A.13.2.3)
Business impact analysis (clause A.17.1.1)
Exercising and testing plan (clause A.17.1.3)
Maintenance and review plan (clause A.17.1.3)
Business continuity strategy (clause A.17.2.1)
Documentation
Mandatory Documents & Records
•
•
•
•
•
•
•
Records of training, skills, experience and
qualifications (clause 7.2)
Monitoring and measurement results (clause
9.1)
Internal audit program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)
Results of corrective actions (clause 10.1)
Logs of user activities, exceptions, and security
events (clauses A.12.4.1 and A.12.4.3)
Supporting Documents & Records
•
•
•
•
•
•
•
•
•
•
•
•
Records Log reviews
Records of RCA, Preventive or corrective
Actions and Corrective actions
Vendor security review records
Access reviews
BCP testing and Restoration records
Records of disposal of information assets
Records of secure information erasure
Disciplinary action records
BG check records
Third party personal verification records
Incident Management & Incident records
& more
Q&A
Download