Schedule for Day 1 Section 01 : Course objective and structure Section 02 : Standard and regulatory framework Section 03 : Information Security Management System (ISMS) Section 04 : Fundamental Principles of Information Security Section 05 : Initiating the ISMS implementation Section 06 : Understanding the organization and clarifying the information security objectives Section 07 : Analysis of the existing management system © 2005 PECB Version 4.9.4 Eric Lachapelle (Editor) Document number: ISMSLID1V4.9.4 Documents provided to participants are strictly reserved for training purposes and are copyrighted by PECB. Unless otherwise specified, no part of this publication may be, without PECB’s written permission, reproduced or used in any way or format or by any means whether it be electronic or mechanical including photocopy and microfilm. © PECB official training – Reproduction prohibited without authorization 1 Day 1: Introduction to ISO 27001 and initiation of an ISMS • Section 01 : Course objective and structure • Section 02 : Standard and regulatory framework • Section 03 : Information Security Management System (ISMS) • Section 04 : Fundamental principles of information security • Section 05 : Initiating the ISMS implementation • Section 06 : Understanding the organization and clarifying the information security objectives • Section 07 : Analysis of the existing management system Pg.: 5 Pg.: 21 Pg.: 41 Pg.: 68 Pg.: 93 Pg.:107 Pg.:137 Day 2: Plan the implementation of the ISMS • Section 08: Leadership and approval of the ISMS project • Section 09: ISMS scope • Section 10: Policies for information security • Section 11: Risk assessment • Section 12: Statement of Applicability and management decision to implement the ISMS • Section 13: Definition of the organizational structure of information security Pg.: 2 Pg.: 19 Pg.: 36 Pg.: 57 Pg.:120 Pg.:131 Day 3: Deploying the ISMS • Section 14: Definition of the document management process • Section 15: Design of security controls and drafting of specific policies & procedures • Section 16: Communication plan • Section 17: Training and awareness plan • Section 18: Implementation of security controls • Section 19: Incident Management • Section 20: Operations Management Pg.: 2 Pg.: 24 Pg.: 39 Pg.: 54 Pg.: 70 Pg.:112 Pg.:129 Day 4: ISMS measurement, continuous improvement and preparation for certification audit • Section 21: Monitoring, measurement, analysis and evaluation Pg.: 2 • Section 22: Internal audit Pg.: 19 • Section 23: Management review Pg.: 45 • Section 24: Treatment of problems and non-conformities Pg.: 55 • Section 25: Continual improvement Pg.: 71 • Section 26: Preparing for the certification audit Pg.: 81 • Section 27: Competence and evaluation of implementers Pg.:101 • Section 28: Closing the training Pg.:122 © PECB official training – Reproduction prohibited without authorization 2 Normative references used in this training 1. Main standards • • • • • • • ISO 19011:2011, Guidelines for auditing management systems. ISO/IEC 27000:2016, Information technology — Security techniques — Information security management systems — Overview and vocabulary. ISO/IEC 27001:2013, Information Security Management Systems – Requirements. ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security management. ISO/IEC 27003:2010, Information technology — Security techniques — Information security management system implementation guidance. ISO/IEC 27004:2009, Information technology – Security techniques – Information security management – Measurement. ISO/IEC 27005:2011, Information technology — Security techniques — Information security risk management. 2. Other standard references • • • • • • • • • • • • • • • • • • ISO Guide 73:2009, Risk management – Vocabulary. ISO 9000:2015, Quality management systems – Fundamentals and vocabulary. ISO 9001:2015, Quality management systems – Requirements. ISO 14001:2015, Environmental management systems – Requirements with guidance for use. ISO/IEC 17011:2004, Conformity assessment – General requirements for accreditation bodies accrediting conformity assessment bodies. ISO 17021:2011, Conformity assessment — Requirements for bodies providing audit and certification of management systems. ISO 17024:2012, Conformity assessment — General requirements for bodies operating certification of persons. OHSAS 18001:2007, Occupational Health and Safety Management Systems — Requirements. ISO/IEC 20000-1:2011, Information Technology — Service Management. Information technology — Part 1: Service management system requirements. ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the application of service management systems. ISO 22000:2005, Food safety management systems — Requirements for any organization in the food chain. ISO 22301:2012, Societal security — Business continuity management systems — Requirements. ISO/IEC 27006:2015, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems. ISO/IEC 27007:2011, Information technology — Security techniques — Guidelines for information security management systems auditing. ISO/IEC TR 27008:2011, Information technology — Security techniques — Guidelines for auditors on information security controls. ISO 28000:2007, Specification for security management systems for the supply chain. ISO 31000:2009, Risk Management – Principles and Guidelines. ISO/TS 16949:2009, Quality management system—Particular requirements for the application of ISO 9001:2008 for automotive production and relevant service part organizations © PECB official training – Reproduction prohibited without authorization 3 List of acronyms and abbreviations used in this training BS: British Standard BCMS: Business Continuity Management System CERT: Computer Emergency Response Team CMS: Content Management System CobiT: Control Objectives for Business and related Technology COSO: Committee of Sponsoring Organizations of the Treadway Commission CPD: Continuing Professional Development DMS: Document Management System EA: European Co-operation for Accreditation EDM: Electronic Document Management System EMS: Environment management system FISMA: Federal Information Security Management Act GAAS: Generally Accepted Auditing Standards GLBA: Gramm-Leach-Bliley Act HIPAA: Health Insurance Portability and Accountability Act IAF: International Accreditation Forum IFAC: International Federation of Accountants IMS2: Integrated Implementation Methodology for Management Systems and Standards ISMS: Information security management system ISO: International Standards Organization ITIL: Information Technology Infrastructure Library LA: Lead Auditor LI: Lead Implementer NC: Non-conformity NIST: National Institute of Standards and Technology OHSAS: Occupational Health and Safety Assessment Series OECD: Organization for Economic Co-operation and Development PCI-DSS: Payment Card Industry Data Security Standard PDCA: Plan-Do-Check-Act QMS: Quality management system PECB: Professional Evaluation and Certification Board ROI: Return on Investment ROSI: Return on Security Investment SMS: Service management system SoA: Statement of applicability SOX: Sarbanes-Oxley Act © PECB official training – Reproduction prohibited without authorization 4 Section 1 : Course objectives and structure © PECB official training – Reproduction prohibited without authorization 5 Section 1 : Course objectives and structure To break the ice, participants introduce themselves stating: • • • • Name; Current position; Knowledge of and experience with information security; Knowledge of and experience with ISO 27001 and other standards of the 27000 family (27002, 27003, 27004, 27005,...); • Knowledge and experience with other management systems (ISO 9001, ISO 14001, ISO 20000, ISO 22301, etc.); • Course expectations and objectives. Duration of activity: 20 minutes © PECB official training – Reproduction prohibited without authorization 6 Section 1 : Course objectives and structure • For simplification, only the masculine is used throughout this training and is not meant to offend anyone. • In case of emergency, please be aware of exits. • Agree on course schedule and two breaks (be on time). • Set your cell phone on vibration and if you need to take a call, please do it outside the classroom. • Recording devices are prohibited because they may restrict free discussions. © PECB official training – Reproduction prohibited without authorization 7 Section 1 : Course objectives and structure The main objective of this training is to acquire and/or enhance the knowledge and competencies to participate in the implementation of an Information Security Management System based on ISO 27001. From an educational view, competency consists of the following 3 elements: 1. Knowledge; 2. Skill; 3. Behavior (attitude). The training focuses on the acquisition of knowledge necessary for the implementation of a compliance framework for ISO 27001 and not on the acquisition of expertise in information security. Minimal knowledge of information security is however required for successful completion of the course. This training is not intended as a simple list of the prerequisites of the ISO 27001 standard and a high-level advice on the implementation approach. In addition to presenting the theoretical knowledge needed by an ISMS project manager, a comprehensive methodology for the implementation is presented. Thus, at the end of this course, participants will gain knowledge on how to implement a compliance framework for ISO 27001 and not only on why or what to do. To obtain more in-depth knowledge of the audit techniques of an ISMS, it is recommended to take the Certified ISO 27001 Lead Auditor course. © PECB official training – Reproduction prohibited without authorization 8 Section 1 : Course objectives and structure The objective of this training is to ensure that on the day following the end of the training, the candidate can actively participate at the implementation of a compliance framework for ISO 27001. This training focuses on the reality of conducting a compliance project. The case study and exercises are used to simulate conditions as close as possible to reality. Regarding attitude, several exercises will allow the candidate to strengthen his personal qualities necessary for an implementer to act with due professional care during the implementation such as decision-making ability, teamwork, openness of mind, etc. © PECB official training – Reproduction prohibited without authorization 9 Section 1 : Course objectives and structure This course is primarily based on: • Trainer lead sessions, where questions are welcomed. • Student involvement in various ways: exercises, case studies, notes, reactions, discussions (participant experiences). Remember, this course is yours: you are the main players of its success. Students are encouraged to take additional notes. Extra blank pages are available at the end of each day notes. Exercises are essential to acquire the skills needed to conduct a the implementation of a management. It is therefore very important to do them conscientiously. In addition, these exercises prepare students for the final examination. © PECB official training – Reproduction prohibited without authorization 10 Section 1 : Course objectives and structure The objective of the certification examination is to ensure that implementer candidates have mastered ISMS concepts and techniques so that they are able to participate in ISMS project assignments. The PECB examination committee shall ensure that the development and adequacy of the exam questions are maintained based upon current professional practice. The questions are developed and maintained by a committee of information security specialists that are all ISO 27001 Lead Implementer certified. The exam only contains essay questions. The duration of the exam is 3 hours. The minimum passing score is 70%. All notes and reference documents may be used during the exam excluding the use of a computer. The exam is available in several languages. When taking the exam, please ask the trainer or check on the PECB website to know the list of available languages. All seven competency domains are covered by the examination. To read a detailed description of each competency domain, please visit the PECB website. © PECB official training – Reproduction prohibited without authorization 11 Section 1 : Course objectives and structure Passing the exam is not the only pre-requisite to obtain the credential of “PECB Certified ISO/IEC 27001 Lead Implementer”. This credential will endorse both the passing the exam and the validation of the professional experience records. Unfortunately, many people claim they are ISO 27001 Lead Implementer-qualified following a successful exam, although they don’t have the required experience level. The set of criteria and the certification process are explained in details at the last day of the training. A candidate with lesser experience can apply for the credential of “PECB Certified ISO/IEC 27001 Implementer” or “PECB Certified ISO/IEC 27001 Provisional Implementer”. Important note: Certification fees are included in the examination price. The candidate will therefore not have to pay any additional costs when applying for certification at their corresponding experience level, so as to receive one of the professional credentials: PECB Certified ISO/IEC 27001 Provisional Implementer, PECB Certified ISO/IEC 27001 Implementer or PECB Certified ISO/IEC 27001 Lead Implementer. © PECB official training – Reproduction prohibited without authorization 12 Section 1 : Course objectives and structure After passing the exam, the candidate has a maximum period of three years to apply for one of the professional credentials related to the ISO 27001 certification scheme. When the candidate is certified, he will receive, via electronic mail, from PECB a certificate valid for three years. To maintain his certification, the applicant must demonstrate every year that he is satisfying the requirements for the assigned credential and abiding to PECB’s Code of Ethics. To learn more about certificate maintenance and renewal procedure please visit PECB Website. At the end of the training, more details will be given. An electronic version (in .PDF) course completion certificate which is valid of 31 CPD (Continuing Professional Development) credits will be issued (sent via email) to participants after the training. © PECB official training – Reproduction prohibited without authorization 13 Section 1 : Course objectives and structure PECB is a certification body for persons, management systems, and products on a wide range of international standards. As a global provider of training, examination, audit, and certification services, PECB offers its expertise on multiple fields, including but not limited to Information Security, IT, Business Continuity, Service Management, Quality Management Systems, Risk & Management, Health, Safety, and Environment. We help professionals and organizations to show commitment and competence with internationally recognized standards by providing this assurance through the education, evaluation and certiļ¬cation against rigorous, internationally recognized competence requirements. Our mission is to provide our clients comprehensive services that inspire trust, continual improvement, demonstrate recognition, and benefit society as a whole. PECB is accredited by IAS against ISO/IEC 17024, ISO/IEC 17021, ISO/IEC 17065. The purpose of PECB, as stated in its Bylaws, is to develop and promote professional standards for certification and to administer credible certification programs for individuals who practice in disciplines involving the audit and the implementation of a compliant management system. This principal purpose includes: 1. Establishing the minimum requirements necessary to qualify certified professionals; 2. Reviewing and verifying the qualifications of applicants for eligibility to sit for the certification examinations; 3. Developing and maintaining reliable, valid, and current certification examinations; 4. Granting certificates to qualified candidates, maintaining certificant records, and publishing a directory of the holders of valid certificates; 5. Establishing requirements for the periodic renewal of certification and determining compliance with those requirements; 6. Ascertaining that certificants meet and continue to meet the PECB Code of Ethics; 7. Representing its members, where appropriate, in matters of common interest; 8. Promoting the benefits of certification to employers, public officials, practitioners in related fields, and the public. © PECB official training – Reproduction prohibited without authorization 14 Section 1 : Course objectives and structure The ISO 17024 standard provides a comprehensive framework for certification bodies of persons such as PECB to operate coherently, comparable and trusted in the world. The primary function of the certification body of persons is an independent assessment of the demonstrated experience, knowledge and attitudes of a candidate that are applicable to the field for which certification is granted. The ISO 17024 standard provides a uniform set of guidelines for organizations that manage the qualification and certification of persons, including procedures relating to the preparation and updating of a certification scheme. The standard is designed to help organizations that carry out certification of persons to conduct well-planned and structured assessments using objective criteria of competencies and grading to ensure impartiality of operations and reduce the risk of conflict interest. The ISO 17024 addresses the structure and governance of the certification body, the characteristics of the certification programme, information that must be made available to candidates and the renewal of the certification of the certification body. IAS is one of the largest and most recognized organization to offer an accreditation program to ISO 17024. © PECB official training – Reproduction prohibited without authorization 15 Section 1 : Course objectives and structure • An internationally recognized certification can help you maximize your career potential and reach you professional objectives. • An international certification is the formal recognition of personal competencies in improving the performance of organizations. • According to salary surveys published by the Quality Progress magazine in the last five years, certified professionals have an average salary considerably higher than their non-certified counterparts. © PECB official training – Reproduction prohibited without authorization 16 Section 1 : Course objectives and structure In order to ensure your satisfaction and continually improve the training, examination and certification processes, PECB Customer Service has established a support ticket system for handling complaints and services for our clients. As a first step, we invite you to discuss the situation with the trainer. If necessary, do not hesitate to contact the head of the training organization where you are registered. In all cases, we remain at your disposal to arbitrate any dispute that might arise between you and these parties. To send comments, questions or complaints, please open a support ticket on PECB’s website in the PECB Help Center. (www.pecb.com/help) If you have suggestions for improving PECB’s training materials, we'd like to hear from you. We read and evaluate the input we get from our members. You can do so directly from our KATE application or you can open a ticket directed to Training Department the PECB Help Center. (www.pecb.com/help) In case of dissatisfaction with the training (trainer, training room, equipment,...), the examination or the certification processes, please open a ticket under “Make a complaint” category on the PECB Help Center. (www.pecb.com/help) © PECB official training – Reproduction prohibited without authorization 17 Section 1 : Course objectives and structure Day 1: Introduction to ISO 27001 and initiation of an ISMS • Section 01 : Course objective and structure • Section 02 : Standard and regulatory framework • Section 03 : Information Security Management System (ISMS) • Section 04 : Fundamental principles of information security • Section 05 : Initiating the ISMS implementation • Section 06 : Understanding the organization and clarifying the information security objectives • Section 07 : Analysis of the existing management system Day 2: Plan the implementation of the ISMS • Section 08: Leadership and approval of the ISMS project • Section 09: ISMS scope • Section 10: Policies for information security • Section 11: Risk assessment • Section 12: Statement of Applicability and management decision to implement the ISMS • Section 13: Definition of the organizational structure of information security © PECB official training – Reproduction prohibited without authorization 18 Section 1 : Course objectives and structure Day 3: Deploying the ISMS • Section 14: Definition of the document management process • Section 15: Design of security controls and drafting of specific policies & procedures • Section 16: Communication plan • Section 17: Training and awareness plan • Section 18: Implementation of security controls • Section 19: Incident Management • Section 20: Operations Management Day 4: ISMS measurement, continuous improvement and preparation for certification audit • Section 21: Monitoring, measurement, analysis and evaluation • Section 22: Internal audit • Section 23: Management review • Section 24: Treatment of problems and non-conformities • Section 25: Continual improvement • Section 26: Preparing for the certification audit • Section 27: Competence and evaluation of implementers • Section 28: Closing the training © PECB official training – Reproduction prohibited without authorization 19 Section 1 : Course objectives and structure © PECB official training – Reproduction prohibited without authorization 20 Section 2 : Standard and regulatory framework During this training, we will adopt the following convention: standards will often be referenced as “ISO XXXX” in the slide instead of their official designation “ISO/IEC XXXXX:20XX” without specifying their publication date, each referring to its latest version. ISO documents are copyright protected. Each participant has a responsibility to possess a legal copy of the standards required for this course. If a standard is included or was given to you for the period of this training, you must follow the conditions for use stated by ISO. No part of this publication may be reproduced by any means or use in any way whether it be electronic our mechanical, including photocopies and microfilms, without written permission from ISO (see address below) or a member of the ISO organization located in the country of the person of the related organization. Copies of the different ISO standards can be bought online on the ISO website (www.iso.org) or from the accreditation authority of each country. For example, you can buy ISO standards from ANSI (webstore.ansi.org). Important note on terminology: Depending on the standard, there are different terms used to refer to specific part of a standard like clause, section, paragraph or chapter. In this course we will use "clause" to express any reference to a specific part of a norm or standard. © PECB official training – Reproduction prohibited without authorization 21 Section 2 : Standard and regulatory framework History In 1946, delegates from 25 countries met in London and decided to create a new international organization, of which the object would be "to facilitate the international coordination and unification of industrial standards". The new organization officially began operations on 23 February 1947, in Geneva, Switzerland. The International Standards Organization (ISO) is a non-governmental organization that holds a special position between the public sector and the private sector. Its members include national standards organizations who often are part of government structures in their countries or who are mandated by these governments. Other members belong to the private sector as national partnerships of industry associations. Goals/Advantages The role of ISO is to facilitate international coordination and the standardization of industrial standards. To reach these objectives, ISO publishes technical standards. These standards contribute to the development, manufacturing and delivery of products and services that are more effective, safer and clearer. They facilitate fair trade between countries. In addition, they bring a technical foundation for health, security, and environmental legislation to governments; and they help transfer technologies to developing countries. ISO standards are also used to protect consumers and general users of products and services. These standards are also used to simplify their lives. Note on terminology: Because "International Organization for Standardization" would have different acronyms in different languages ("IOS" in English, "OIN" in French for Organisation internationale de normalisation), its founders decided to give it also a short, all-purpose name. They chose "ISO", derived from the Greek isos, meaning "equal". Source: www.iso.org © PECB official training – Reproduction prohibited without authorization 22 Section 2 : Standard and regulatory framework How ISO standards are developed? The national delegations of experts of a committee meet to discuss, debate and argue until they reach consensus on a draft agreement. The “organizations in liaison” also take part in this work. In some cases, advanced work within these organizations means that substantial technical development and debate has already occurred, leading to some international recognition and in this case, a document may be submitted for "fast-track" processing. In both cases, the resulting document is circulated as a Draft International Standard (DIS) to all ISO's member bodies for voting and comment. If the voting is in favor, the document, with eventual modifications, is circulated to the ISO members as a Final Draft International Standard (FDIS). If that vote is positive, the document is then published as an International Standard. (There is no FDIS stage in the case of documents processed through the fast track procedure of the joint technical committee ISO/IEC JTC 1, Information technology.) Every working day of the year, an average of seven ISO technical meetings takes place around the world. In between meetings, the experts continue the standards' development work by correspondence. Increasingly, their work is carried out by electronic means, which speeds up the development of standards and cuts travel costs. International Standards are developed by a six-step process: Stage 1: Proposal stage The first step in the development of an International Standard is to confirm that a particular International Standard is needed. A new work item proposal (NP) is submitted for vote by the members of the relevant TC or SC to determine the inclusion of the work item in the programme of work. The proposal is accepted if a majority of the P-members of the TC/SC votes in favor and if at least five Pmembers declare their commitment to participate actively in the project. At this stage a project leader responsible for the work item is normally appointed. Stage 2: Preparatory stage Usually, a working group of experts, the chairman (convener) of which is the project leader, is set up by the TC/SC for the preparation of a working draft. Successive working drafts may be considered until the working group is satisfied that it has developed the best technical solution to the problem being addressed. At this stage, the draft is forwarded to the working group's parent committee for the consensus-building phase. Stage 3: Committee stage As soon as a first committee draft is available, it is registered by the ISO Central Secretariat. It is distributed for comment and, if required, voting, by the P-members of the TC/SC. Successive committee drafts may be considered until consensus is reached on the technical content. Once consensus has been attained, the text is finalized for submission as a draft International Standard (DIS). Stage 4: Enquiry stage The draft International Standard (DIS) is circulated to all ISO member bodies by the ISO Central Secretariat for voting and comment within a period of five months. It is approved for submission as a final draft International Standard (FDIS) if a two-thirds majority of the P-members of the TC/SC are in favor and not more than one-quarter of the total number of votes cast are negative. If the approval criteria are not met, the text is returned to the originating TC/SC for further study and a revised document will again be circulated for voting and comment as a draft International Standard. Stage 5: Approval stage The final draft International Standard (FDIS) is circulated to all ISO member bodies by the ISO Central Secretariat for a final Yes/No vote within a period of two months. If technical comments are received during this period, they are no longer considered at this stage, but registered for consideration during a future revision of the International Standard. The text is approved as an International Standard if a two-thirds majority of the P-members of the TC/SC is in favor and not more than one-quarter of the total number of votes cast are negative. If these approval criteria are not met, the standard is referred back to the originating TC/SC for reconsideration in light of the technical reasons submitted in support of the negative votes received. Stage 6: Publication stage Once a final draft International Standard has been approved, only minor editorial changes, if and where necessary, are introduced into the final text. The final text is sent to the ISO Central Secretariat which publishes the International Standard. Reference: www.iso.org © PECB official training – Reproduction prohibited without authorization 23 Section 2 : Standard and regulatory framework ISO basic principles 1. Equal representation: Every ISO member (full-fledged member) has the right to participate in the development of any standard it deems important to the economy of its country. Whatever the size or strength of the economy, each participating member can claim their right to vote. ISO activities are thus carried out in a democratic structure where member countries are on the same footing in terms of their influence on work orientation. 2. Voluntary: Adoption of ISO standards is voluntary. As a non-governmental organization, ISO has no legal authority for their implementation. A percentage of ISO standards – more particularly those related to health, security and the environment – have been adopted in several countries as part of the regulatory framework, or are mentioned in the legislation for which they act as a technical basis. Such adoptions are sovereign decisions by regulatory organizations or governments. ISO itself does not regulate, or legislate. However, although ISO standards are voluntary, they can become a market requirement, as is the case with ISO 9001 or with freight container dimensions, the traceability of food products, etc. © PECB official training – Reproduction prohibited without authorization 24 Section 2 : Standard and regulatory framework 3. Business orientation: ISO only develops standards for which a market demand exists. Work is carried out by experts in the related industrial, technical and business sectors. These experts may be joined by other experts holding the appropriate knowledge such as public organizations, academic world and testing laboratories. ISO launches the development of new standards in response to sectors and stakeholders that express a clearly established need for them. An industry sector or other stakeholder group typically communicates its requirement for a standard to one of ISO's national members. The latter then proposes the new work item to the relevant ISO technical committee developing standards in that area. New work items may also be proposed by organizations in liaison with such committees. When work items do not relate to existing committees, proposals may also be made by ISO members to set up new technical committees to cover new fields of activity. 4. Consensus approach: ISO standards are based on a representative consensus approach of the different stakeholders (experts, industries, researchers, governments, etc.). This ensures a larger circulation and a greater application. ISO standards are developed by technical committees, (subcommittees or project committees) comprising experts from the industrial, technical and business sectors which have asked for the standards, and which subsequently put them to use. These experts may be joined by representatives of government agencies, testing laboratories, consumer associations, non-governmental organizations and academic circles. Proposals to establish new technical committees are submitted to all ISO national member bodies, who may opt to be participating (P), observer (O) or non-members of the committee. The secretariat (i.e. the body providing the administrative support to the work of the committee) is allocated by the Technical Management Board (which itself reports to the ISO Council), usually to the ISO member body which made the proposal. The secretariat is responsible for nominating an individual to act as chair of the technical committee. The chair is formally appointed by the Technical Management Board. Experts participate as national delegations, chosen by the ISO national member body for the country concerned. National delegations are required to represent not just the views of the organizations in which their participating experts work, but those of other stakeholders too. National delegations are usually based on and supported by national mirror committees to which the delegations report. According to ISO rules, the national member body is expected to take account of the views of all parties interested in the standard under development. This enables them to present a consolidated, national consensus position to the technical committee. International and regional organizations from both business and the public sector may apply for liaison status to participate in developing a standard, or to be informed about the work. Such “organizations in liaisons” are accepted through voting by the relevant ISO committee. They may comment on successive drafts, propose new work items or even propose documents for “fast tracking” , but they have no voting rights. 5. International cooperation: ISO standards are technical agreements that bring, at the international level, technological compatibility structures. Developing a technical consensus on an international scale is a major activity. 3 000 technical ISO groups are identified (technical committees, subcommittees, work groups, etc.) within which 50 000 experts take part in developing standards annually. Source: www.iso.org © PECB official training – Reproduction prohibited without authorization 25 Section 2 : Standard and regulatory framework 1. Customer focus: Organizations depend on their customers and therefore should understand current and future customer needs, should meet customer requirements and strive to exceed customer expectations. Management system implications • Researching and understanding customer needs and expectations. • Ensuring that the objectives of the organization are linked to customer needs and expectations. • Communicating customer needs and expectations throughout the organization. • Systematically managing customer relationships. • Ensuring a balanced approach between satisfying customers and other interested parties (such as owners, employees, suppliers, financiers, local communities and society as a whole). 2. Leadership: Leaders establish unity of purpose and direction of the organization. They should create and maintain the internal environment in which people can become fully involved in achieving the organization's objectives. Management system implications • Considering the needs of all interested parties including customers, owners, employees, suppliers, financiers, local communities and society as a whole. • Establishing a clear vision of the organization's future. • Setting challenging goals and targets. • Creating and sustaining shared values, fairness and ethical role models at all levels of the organization. • Establishing trust and eliminating fear. • Providing people with the required resources, training and freedom to act with responsibility and accountability. • Inspiring, encouraging and recognizing people's contributions. © PECB official training – Reproduction prohibited without authorization 26 Section 2 : Standard and regulatory framework 3. Engagement and competence of people: People at all levels are the essence of an organization and their full involvement enables their abilities to be used for the organization's benefit. Management system implications • • • • • • • People People People People People People People understanding the importance of their contribution and role in the organization. identifying constraints to their performance. accepting ownership of problems and their responsibility for solving them. evaluating their performance against their personal goals and objectives. actively seeking opportunities to enhance their competence, knowledge and experience. freely sharing knowledge and experience. openly discussing problems and issues. 4. Process approach: A desired result is achieved more efficiently when activities and related resources are managed as a process. Management system implications • • • • • • Systematically defining the activities necessary to obtain a desired result. Establishing clear responsibility and accountability for managing key activities. Analyzing and measuring of the capability of key activities. Identifying the interfaces of key activities within and between the functions of the organization. Focusing on the factors such as resources, methods, and materials that will improve key activities of the organization. Evaluating risks, consequences and impacts of activities on customers, suppliers and other interested parties. 5. Improvement: Continual improvement of the organization's overall performance should be a permanent objective of the organization. Management system implications • • • • • Employing a consistent organization-wide approach to continual improvement of the organization's performance. Providing people with training in the methods and tools of continual improvement. Making continual improvement of products, processes and systems an objective for every individual in the organization. Establishing goals to guide, and measures to track, continual improvement. Recognizing and acknowledging improvements. 6. Informed decision making: Effective decisions are based on the analysis of data and information. Management system implications • • • • Ensuring that data and information are sufficiently accurate and reliable. Making data accessible to those who need it. Analyzing data and information using valid methods. Making decisions and taking action based on factual analysis, balanced with experience and intuition. 7. Relationship management: An organization and its suppliers are interdependent and a mutually beneficial relationship enhances the ability of both to create value. Management system implications • • • • • • • Establishing relationships that balance short-term gains with long-term considerations. Pooling of expertise and resources with partners. Identifying and selecting key suppliers. Clear and open communication. Sharing information and future plans. Establishing joint development and improvement activities. Inspiring, encouraging and recognizing improvements and achievements by suppliers. Source: www.iso.org © PECB official training – Reproduction prohibited without authorization 27 Section 2 : Standard and regulatory framework Since 1947 ISO has published over 21000 international standards. ISO publishes standards related to traditional activities such as agriculture and construction, media devices and the most recent development in information technologies, such as the digital coding of audiovisual signals for multimedia applications. ISO 9000 and ISO 14000 families are among the best known ISO standards. The ISO 9000 standard has become an international reference in regard to the quality requirements in commerce and business transactions. The ISO 14000 standard, for its part, is used to help organizations meet challenges of an environmental nature. ISO 9001 is related to quality management. It contains the good practices that aim to improve customer satisfaction, achievement of customer requirements and regulatory requirements as well as continuous improvement actions in those fields. In December of 2009, 1 064 785 organizations were ISO 9001 certified (China having the most certified organizations: 257 076). ISO 14001 is mainly related to environmental management. It defines the actions that the organization can implement for the maximum reduction of negative impacts of its activities on the environment and for the continuous improvement of its environmental performance. In December 2009, 223 149 organizations were ISO 14001 certified (China having the most certified organizations: it had in 2009, 55 316; Japan is second with 39 556 certified organizations). © PECB official training – Reproduction prohibited without authorization 28 Section 2 : Standard and regulatory framework OHSAS 18001 (OHSAS = Occupational Health and Safety Assessment Series) identifies best practices for the rigorous management and effective protection of the occupational health and safety. In spite of the publication of the ISO 18001 standard after various disagreements within the ISO organization to create a management standard for health and safety, OHSAS 18001 is the de facto standard for health and safety at the enterprise. OHSAS 18001 is a private norm. It was developed from existing national standards (BS 8800, UNE 81900, VCA) and standards published by different certification bodies (OHSMS, SafetyCert, SMS 8800). ISO 20000-1 defines the requirements that an information technology service provider must apply. This standard applies to service providers regardless of the organization’s size or type. The standard consists of two parts. The first part defines the specifications the organization shall apply to obtain certification. The second part (ISO 20000-2) explains the different practices or recommendations to reach the objectives previously defined. ISO 22000 creates and manages a food safety management system (FSMS). This standard applies to all organizations that are involved in any aspects of the food supply chain and want to implement a system to continuously provide safe food. This standard focuses on personnel competencies, continuous information research about food products (new legislations, standards, rules…). Organizations must perform a HACCP (Hazard Analysis Critical Control Point) to identify, analyze and evaluate the risks for food safety. For each risk that has been defined as significant, the organization must define controls to implement. ISO 22301 defines the requirements that an organization must apply to certify a Business Continuity Management System (BCMS). To comply with the requirements of this standard the organization needs to document a model to develop, implement, operate, monitor, review, maintain and improve a BCMS to increase the resilience of an organization in case of a disaster. This standard is compatible with PAS 22399 (Guideline for incident preparedness and operational continuity management) and BS 25999 (British Standard on business continuity). ISO 27001 defines the requirements that an organization must apply to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes. The ISO 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO 27002. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls. ISO 28000 prescribes the requirements applicable to a security management system of the supply chain. An organization has to define, implement, maintain, and improve a supply chain security management system during each step of production: manufacturing, maintenance, storage or transport of goods. © PECB official training – Reproduction prohibited without authorization 29 Section 2 : Standard and regulatory framework More and more organizations have to manage several compliance frameworks simultaneously. To simplify the work, to avoid conflicts and to reduce duplication of documents, it is recommended to implement an integrated management system. An integrated management system (IMS) is a management system which integrates all components of a business into one coherent system so as to enable the achievement of its purpose and mission. The table in the slide presents certain requirements that are common to all management systems. There are several good reasons for integration, to: • harmonize and optimize practices • eliminate conflicting responsibilities and relationships • balance conflicting objectives • formalize informal systems • reduce duplication and therefore costs • reduce risks and increase profitability • turn the focus into business goals • create consistency • improve communication • facilitate training and awareness Important note: In June 2009, the Technical Steering Committee of ISO adopted a resolution asking the committees involved in the development of standards to specify the requirements of a management system (ISO 14001, ISO 22000, ISO 27001, etc.) by following a common structure of clauses in line with ISO 9001. This Directive is applicable to the versions published after 2011. So the common elements to every management system will have the same reference. The main objective is to facilitate the combined management of a normative framework for an organization. © PECB official training – Reproduction prohibited without authorization 30 Section 2 : Standard and regulatory framework As of March 2012, there are 106 published ISO standards on information security (JTC 1/SC 27 technical committee) including the following examples: ISO 9798: This standard specifies a general model including the requirements and constraints for the use of identity authentication mechanisms. These mechanisms are used in to demonstrate that an entity is who it claims to be. Details on the different mechanisms are explained in different parts of this standard. ISO 11770: This standard defines a general model for key management independent of the cryptographic algorithm used. This standard addresses both the automatic and manual key and the required sequence of operations. However, it does not specify details on the interface protocols needed for the operations. ISO 15408: Under the general title Common Criteria, the scope of this standard is the use of it as a basis to evaluate the security properties of products and systems of Information Technology (IT). A free copy can be downloaded from the ISO website. It contains the following parts: Part 1: Introduction and general model; Part 2: Security functional components; Part 3: Security assurance components. © PECB official training – Reproduction prohibited without authorization 31 Section 2 : Standard and regulatory framework ISO 21827 specifies the Systems Security Engineering - Capability Maturity Model® (SSECMM®), which describes the essential characteristics of an organization's security engineering process that must exist to ensure good security. ISO 21827 does not prescribe a particular process or sequence, but captures practices generally observed in industry. The objective is to facilitate an increase of maturity of the security engineering processes within the organization. ISO 24761 specifies the structure and elements of a mechanism for authentication using biometrics in the verification process. ISO 27033 provides an overview of network security and related definitions. It defines and describes the concepts associated with network security. The various parts of ISO 27033 address specific topics related to network security. © PECB official training – Reproduction prohibited without authorization 32 Section 2 : Standard and regulatory framework Beginning of the1990s • An industry need expressed in terms of better practices and controls to support trade and government in the implementation and improvement of information security; • Ministry of Commerce and Industry (United Kingdom) forms a work group grouping together directors with experience in information security; • Publication of a collective work of advice on the management of information security. 1992 • Guide of good practices of the industry (September) initially published as a British Standard Institute (BSI) publication; • This guide was the basis for the British Standard: BS 7799-1. 1995 • BS 7799-1:1995 published as a British standard. 1996 -1997 • Identification of a need to increase the level of confidence in the BS 7799 standard; • The industry request a certification programme for an ISMS. 1998 • Launch of the ISMS certification model (Published as BS 7799-2:1998). 1999 • Revision of BS 7799-1:1999 (updates and addition of new security controls): ļ§ New security controls: e-commerce, mobile IT, third-party agreements; ļ§ Suppression of specific references to United Kingdom. • BS 7799-2:1999 (Alignment of controls to BS7799-1). © PECB official training – Reproduction prohibited without authorization 33 Section 2 : Standard and regulatory framework 2000 • Publication of ISO 17799:2000. 2002 • Launch of BS 7799-2:2002. • The main updates are: ļ§ Integration of the Plan-Do-Check-Act (PDCA) Model; ļ§ ISO 17799 controls included as an annex to the standard; ļ§ Annex demonstrating the connection between BS7799-2, ISO 9001 and ISO 14001. 2005 • Publication of the new version of ISO 17799:2005. • Publication of ISO 27001:2005, which replaces BS7799-2, and contains: ļ§ ISMS specifications; ļ§ ISO 17799 controls in standard annex; ļ§ Annex demonstrating the connection between ISO 9001 and ISO 14001. 2007 • Publication of ISO 27002:2005 replacing ISO 17799:2005 (No change in the content, just identification number); • Publication of ISO 27006:2007 (Requirements for bodies providing audit and certification of information security management systems). 2008 • Publication of ISO 27005:2008 (Information security risk management); • Publication of ISO 27011:2008 (Information security management guidelines for telecommunications organizations based on ISO 27002). 2009 • Publication of ISO 27000:2009 (Information security management systems -- Overview and vocabulary); • Publication of ISO 27004:2009 (Information security management – Measurement); • Publication of ISO 27033-1:2009 (Network security -- Part 1: Overview and concepts). 2010 • Publication of ISO 27003:2010 (Information security management system implementation guidance); • Publication of ISO 27033-3:2010 (Network security -- Part 3: Reference networking scenarios -- Threats, design techniques and control issues). 2011 • Publication of ISO 27005:2011 (Information security risk management); • Publication of ISO 27006:2011 (Requirements for bodies providing audit and certification of information security management systems); • Publication of ISO 27007:2011 (Guidelines for information security management systems auditing); • Publication of ISO 27008:2011 (Network security -- Part 3: Reference networking scenarios -- Threats, design techniques and control issues). 2012 • Publication of ISO 27000:2012 (this second edition cancels and replaces the first edition: ISO/IEC 27000:2009) 2013 • Publication of ISO 27001:2013 (this second edition cancels and replaces the first edition: ISO/IEC 27001:2005) • Publication of ISO 27002:2013 (this second edition cancels and replaces the first edition: ISO/IEC 27002:2005) 2014 • Publication of ISO 27000:2014 (this third edition cancels and replaces the second edition: ISO/IEC 27000:2012) 2016 • Publication of ISO 27000:2016 (this fourth edition cancels and replaces the third edition: ISO/IEC 27000:2014) © PECB official training – Reproduction prohibited without authorization 34 Section 2 : Standard and regulatory framework Resulting from International workgroup reflections dedicated to the information security scope, the ISO 27000 family is progressively published since 2005. ISO 27001:2005 is the only certifiable standard of the ISO 27000 family. The other standards are guidelines. • ISO 27000: This information security standard develops the basic concepts as well as the vocabulary that applies when analyzing Information Security Management Systems. A free copy of this standard can be downloaded from the ISO website. • ISO 27001: This information security standard defines the requirements of the Information Security Management Systems (ISMS). • ISO 27002 (previously ISO 17799): Guide of best practices for the management of information security. This standard defines objectives and recommendations in terms of information security and anticipates meeting global concerns of organizations relating to information security for their overall activities. • ISO 27003: Guide for implementing or setting up an ISMS. • ISO 27004: Guide of metrics to facilitate ISMS management, it provides a method to define the objectives for implementation and effectiveness criteria, of follow-up and evolution measurements all through the process. • ISO 27005: Guide for information security risk management which complies with the concepts, models and general processes specified in ISO 27001. • ISO 27006: Guide for organizations auditing and certifying ISMS’s. • ISO 27007: Guidelines for information security management systems auditing. • ISO 27008: Guidelines for auditors on information security controls. • ISO 27011: Guidelines for the use of ISO 27002 in telecommunication industry. • ISO 27031: Guidelines for information and communication technology readiness for business continuity. • ISO 27799: Guidelines for the use of ISO 27002 in health informatics. © PECB official training – Reproduction prohibited without authorization 35 Section 2 : Standard and regulatory framework ISO 27001: • A set of normative requirements for the establishment, implementation, operation, monitoring and review to update and improve a Information Security Management System (ISMS); • A set of requirements for selecting security controls tailored to the needs of each organization based on industry best practices; • A management system that is integrated in the overall risk framework associated with the activity of the organization; • An internationally-recognized process, defined and structured to manage information security; • An international standard to suit all types of organizations (e.g. commercial enterprises, government agencies, nonprofit organizations ...), of all sizes in all industries. ISO 27001, clause 0.1: General This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time. The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It is important that the information security management system is part of and integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organization. This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements. © PECB official training – Reproduction prohibited without authorization 36 Section 2 : Standard and regulatory framework ISO 27002: • Revised in 2005, ISO 17799 is a guide of best practices information security management. In 2007, it became ISO 27002 to be integrated into the ISO 27000 family. In 2013, a second edition of ISO 27002 is published. • This international standard provides a list of security objectives and controls generally practiced in the industry. • In particular Clauses 5 to 18 provide specific advice and an implementation guide related to the best practices to support the controls specified in Annex A of ISO 27001 (clause A.5 to A .18). ISO 27002, clause 1: Scope This International Standard gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s). This International Standard is designed to be used by organizations that intend to: a) select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001; b) implement commonly accepted information security controls; c) develop their own information security management guidelines. © PECB official training – Reproduction prohibited without authorization 37 Section 2 : Standard and regulatory framework ISO 27003, clause 1 : Scope This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in this International Standard as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan. This International Standard is intended to be used by organizations implementing an ISMS. It is applicable to all types of organization (e.g. commercial enterprises, government agencies, non-profit organizations) of all sizes. Each organization's complexity and risks are unique, and its specific requirements will drive the ISMS implementation. Smaller organizations will find that the activities noted in this International Standard are applicable to them and can be simplified. Large-scale or complex organizations might find that a layered organization or management system is needed to manage the activities in this International Standard effectively. However, in both cases, the relevant activities can be planned by applying this International Standard. This International Standard gives recommendations and explanations; it does not specify any requirements. This International Standard is intended to be used in conjunction with ISO/IEC 27001:2005 and ISO/IEC 27002:2005, but is not intended to modify and/or reduce the requirements specified in ISO/IEC 27001:2005 or the recommendations provided in ISO/IEC 27002:2005. Claiming conformity to this International Standard is not appropriate. © PECB official training – Reproduction prohibited without authorization 38 Section 2 : Standard and regulatory framework Here are some of the standards already published or under development: • ISO 27010: Information security management guidelines for inter-sector communication; • ISO 27011: Information security management guidelines for telecommunications organizations based on ISO 27002; • ISO 27013: Guideline on the integrated implementation of ISO 20000-1 and ISO 27001; • ISO 27014: Information security governance framework; • ISO 27015: Information security management guidelines for the finance and insurance sectors; • ISO 27016: Information security management guidelines on organizational economics; • ISO 27017: Information security management guidelines on cloud computing security and privacy management system; • ISO 27018: Code of practice for data protection controls for public cloud computing services; • ISO 27031: Guideline for ICT readiness for business continuity (essentially the ICT continuity component within business continuity management); • ISO 27032: Guidelines for cyber security; • ISO 27033: IT Network security (ISO 27033-1 to ISO 27033-7); • ISO 27034: Guideline for application security; • ISO 27035: Security incident management; • ISO 27036: Guidelines for security of outsourcing; • ISO 27037: Guidelines for identification, collection and/or acquisition and preservation of digital evidence; • ISO 27038: Specification for Digital Redaction; • ISO 27039: Guideline for selection, deployment and operations of intrusion detection systems; • ISO 27040: Guideline for storage security; • ISO 27041: Guidance on assuring suitability and adequacy of investigation methods; • ISO 27042: Guidelines for the analysis and interpretation of digital evidence; • ISO 27043: Guideline for investigation principles and processes; • ISO 29100: Information technology privacy framework. © PECB official training – Reproduction prohibited without authorization 39 Section 2 : Standard and regulatory framework © PECB official training – Reproduction prohibited without authorization 40 Section 3: Information Security Management System (ISMS) © PECB official training – Reproduction prohibited without authorization 41 Section 3: Information Security Management System (ISMS) A management system is a system that allows organizations to establish policies and objectives and to subsequently implement them. The management system of an organization may include different management systems, such as a quality management system, information security, environmental, etc. Organizations use management systems to develop their policies and put them into effect through objectives using: • An organizational structure; • Systematic processes and associated resources; • An effective assessment methodology; • A review process to ensure that the problems are adequately corrected and that opportunities for improvement are recognized and implemented when justified. Note: What is implemented must be controlled and measured, what is controlled and measured must be managed. The standard indicates that the organization must evaluate the information security performance and the effectiveness of the information security management system (clause 9.1). This clause is an essential component of a management system because without the evaluation of the effectiveness of processes and controls in place, it is impossible to validate if the organization has achieved its objectives. © PECB official training – Reproduction prohibited without authorization 42 Section 3: Information Security Management System (ISMS) Definitions related to the concept of “ISMS” ISO 9000 and ISO 27000 • System: Set of interrelated or interacting elements (ISO 9000, 3.5.1). • Management: Coordinated activities to direct and control an organization (ISO 9000, 3.3.3). • Management system: set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives (ISO 9000, 3.5.3). • Information security: Preservation of confidentiality, integrity and availability of information (ISO 27000, 2.33). Notes on terminology 1. The term management refers to all the activities that are used to coordinate, direct, and control an organization. In this context, the term management does not refer to people. It refers to activities. ISO 9000 uses the term top management to refer to people. 2. The management system of an organization can include different management systems, such as a quality management system (ISO 9001), the information security management system (ISO 27001), an environmental management system (ISO 14001, etc..).. © PECB official training – Reproduction prohibited without authorization 43 Section 3: Information Security Management System (ISMS) This international standard adopts the process model “Plan-Do-Check-Act” (PDCA) or the Deming wheel which is applied to the structure of all the processes in an management system. The figure illustrates how an management system uses as input the requirements and the expectations of the stakeholders, and how it produces, with the necessary actions and processes, the information security results that meet the requirements and expectations. Plan (establish the management system): Establish the policy, the objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization. Do (implement and operate the management system): Implement and operate the policy, controls, processes and procedures of the management system. Check (monitor and review the management system): Assess and, if applicable, measure process performances against the policy, objectives and practical experience and report the results to management for review. Act (maintain and improve the management system): Undertake corrective and preventive actions, on the basis of the results of the internal audit and management review, or other relevant information to continually improve the said system. © PECB official training – Reproduction prohibited without authorization 44 Section 3: Information Security Management System (ISMS) Processes can be defined as being a logical group of interrelated tasks, performed to reach an defined objective. A process is a sequence of structured and measured activities designed to create a product or a service for a specific market or a particular client. For an organization to function effectively, it must implement and manage numerous interrelated and interactive processes. Often, the output element of a process directly forms the input element to the next process. The identification and orderly management of processes within an organization and especially the interactions of these processes are called "process approach“. Controls are used to ensure that the conduct of the business processes is performed in a secure manner in terms of information exchange. These security processes and controls are dependent of the business processes because they are part of it. For example, security measures relating to human resources should be integrated into existing processes for human resources management of an organization by making these processes more secure by providing that: • Everyone’s responsibilities in terms of information security be defined (clause 5.3); • Background checks of applicants be performed according to the criticality of the information they will have to process (clause A.7.1.1); • The organization has a formal disciplinary process in case of a breach in information security (clause A.7.2.3); • The organization has a formalized process to remove the access rights of employees leaving the organization (clause A.9.2.6). © PECB official training – Reproduction prohibited without authorization 45 Section 3: Information Security Management System (ISMS) An organization seeking certification to ISO 27001 must comply with all terms defined in sections 4 to 10 of the standard, define, in the statement of applicability, the applicable controls and justify the inapplicable controls of Annex A. © PECB official training – Reproduction prohibited without authorization 46 Section 3: Information Security Management System (ISMS) ISO 27001, Clause 4.1: Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. Note: Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.3 of ISO 31000:2009 ISO 27001, Clause 4.2: Understanding the needs and expectations of interested parties The organization shall determine: a) interested parties that are relevant to the information security management system; and b) the requirements of these interested parties relevant to information security. Note: The requirements of interested parties may include legal and regulatory requirements and contractual obligations. © PECB official training – Reproduction prohibited without authorization 47 Section 3: Information Security Management System (ISMS) ISO 27001, Clause 4.3: Determining the scope of the information security management system The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; b) the requirements referred to in 4.2; and c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information ISO 27001, Clause 4.4: Information security management system The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard. © PECB official training – Reproduction prohibited without authorization 48 Section 3: Information Security Management System (ISMS) ISO 27001, clause 5.1 Leadership and commitment Top management shall demonstrate leadership and commitment with respect to the information security management system by: a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; b) ensuring the integration of the information security management system requirements into the organization’s processes; c) ensuring that the resources needed for the information security management system are available; d) communicating the importance of effective information security management and of conforming to the information security management system requirements; e) ensuring that the information security management system achieves its intended outcome(s); f) directing and supporting persons to contribute to the effectiveness of the information security management system; g) promoting continual improvement; and h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. © PECB official training – Reproduction prohibited without authorization 49 Section 3: Information Security Management System (ISMS) Through its leadership and actions, management can create an environment in which different actors are fully involved and in which the management system can operate effectively in synergy with the objectives of the organization. Management can use the management principles of ISO to define its role, which involves: a) establish guidelines and objectives of the organization; b) promote policies and objectives at all levels of the organization to increase awareness, motivation and involvement; c) ensure that the requirements of stakeholders (customers, partners, shareholders, legislators, etc.) are a priority at all levels of the organization; d) ensuring that appropriate processes and controls are implemented to help meet the requirements of customers and other stakeholders; e) ensuring that an efficient and effective management system is established, implemented and maintained; f) ensuring the availability of necessary resources; g) assurance that internal audits are conducted; h) conduct the management review at least once a year; i) decide on actions concerning the policy and objectives; j) decide on actions to improve the management system. © PECB official training – Reproduction prohibited without authorization 50 Section 3: Information Security Management System (ISMS) © PECB official training – Reproduction prohibited without authorization 51 Section 3: Information Security Management System (ISMS) © PECB official training – Reproduction prohibited without authorization 52 Section 3: Information Security Management System (ISMS) The organization that wants to plan an ISMS must consider the issues referred to in 4.1 (Understanding the organization and its context) and the requirements referred to in 4.2. (Understanding the needs and expectations of interested parties) and determine the risks and opportunities that need to be addressed © PECB official training – Reproduction prohibited without authorization 53 Section 3: Information Security Management System (ISMS) ISO 27001, clause 7: Support 7.1 Resources The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS. 7.2 Competence The organization shall a) determine the necessary competence of person(s) doing work under its control that affects its information security performance, b) ensure that these persons are competent on the basis of appropriate education, training, and experience, c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and d) retain appropriate documented information as evidence of competence. NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the reassignment of current employed persons; or the hiring or contracting of competent persons. 7.3 Awareness Persons doing work under the organization’s control shall be aware of: a) the information security policy, b) their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance, c) the implications of not conforming with the ISMS requirements © PECB official training – Reproduction prohibited without authorization 54 Section 3: Information Security Management System (ISMS) 7.4 Communication The organization shall determine the need for internal and external communications relevant to the ISMS including a) on what it will communicate, b) when to communicate, c) with whom to communicate, d) who shall communicate; and e) the processes by which communication shall be effected. 7.5 Documented information 7.5.1 General The organization’s ISMS shall include: − documented information required by this International Standard; and − documented information determined by the organization as being required for the effectiveness of the ISMS. NOTE The extent of documented information for a ISMS can differ from one organization to another due to − the size of organization and its type of activities, processes, products and services, − the complexity of processes and their interactions, and − the competence of persons. © PECB official training – Reproduction prohibited without authorization 55 Section 3: Information Security Management System (ISMS) ISO 27001, clause 7.5: Documented information 7.5.2 Creating and updating When creating and updating documented information, the organization shall ensure appropriate a) identification and description (e.g. a title, date, author or reference number), b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic), c) and review and approval for suitability and adequacy. 7.5.3 Control of documented information Documented information required by the ISMS and by this International Standard shall be controlled to ensure: a) it is available and suitable for use, where and when it is needed, b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). For the control of documented information, the organization shall address the following activities, as applicable: — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes (e.g. version control), — retention and disposition Documented information of external origin determined by the organization to be necessary for the planning and operation of the ISMS shall be identified, as appropriate, and controlled. NOTE Access implies a decision regarding the permission to view the documented information, or the permission and authority to view and change the documented information, etc. © PECB official training – Reproduction prohibited without authorization 56 Section 3: Information Security Management System (ISMS) © PECB official training – Reproduction prohibited without authorization 57 Section 3: Information Security Management System (ISMS) ISO 27001, clause 8.2: Information security risk assessment The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). The organization shall retain documented information of the results of the information security risk assessments. ISO 27001, clause 8.3: Information security risk treatment The organization shall implement the information security risk treatment plan. The organization shall retain documented information of the results of the information security risk treatment. © PECB official training – Reproduction prohibited without authorization 58 Section 3: Information Security Management System (ISMS) ISO 27001, clause 9: Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall determine: a) what needs to be monitored and measured, including information security processes and controls; b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; NOTE The methods selected should produce comparable and reproducible results to be considered valid. c) when the monitoring and measuring shall be performed; d) who shall monitor and measure; e) when the results from monitoring and measurement shall be analysed and evaluated; and f) who shall analyse and evaluate these results. The organization shall retain appropriate documented information as evidence of the monitoring and measurement results. © PECB official training – Reproduction prohibited without authorization 59 Section 3: Information Security Management System (ISMS) Internal audits are used to assess the level of fulfillment of the requirements of the standard relating to the management system. Regular internal audit activities allow assessing continuously the effectiveness of the management system and identifying opportunities for improvement. The organization must implement an internal audit programme to determine if the management system reaches the defined objectives of the organization, remains conform to the standard as well to other internal, legal, regulatory and contractual requirements and is kept up-to-date in an efficient manner. The audit program shall, as a minimum, contain: 1. Definition of the criteria, the scope, the frequency, the methods and the audit procedures; 2. Definition of the roles and responsibilities of the internal auditors; 3. Documentation ensuring the objectivity and impartiality of the audit process (examples: audit chart, work contract, code of ethics of internal auditors, etc.); 4. Planning of audit activities; 5. Follow-up activities to audit the business actions following the detection of non conformities; 6. Procedure to keep the records of audit activities and safekeeping of records. Note: The implementation and management of an internal audit program will be explained during Day 4 of the training. © PECB official training – Reproduction prohibited without authorization 60 Section 3: Information Security Management System (ISMS) Management reviews allow the management of the organization to periodically review the level of performance (relevance, appropriateness, effectiveness and efficiency) of the management system in place. These reviews allow the organization to adapt or refocus quickly and efficiently the management system towards internal or external changes. A management review shall be organized at least once a year. Management reviews must be documented. They should then be distributed to all review participants. © PECB official training – Reproduction prohibited without authorization 61 Section 3: Information Security Management System (ISMS) ISO 27001, clause 10: Improvement 10.1 Nonconformity and corrective action When a nonconformity occurs, the organization shall: a) react to the nonconformity, and as applicable: 1) take action to control and correct it; and 2) deal with the consequences; b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: 1) reviewing the nonconformity; 2) determining the causes of the nonconformity; and 3) determining if similar nonconformities exist, or could potentially occur; c) implement any action needed; d) review the effectiveness of any corrective action taken; and e) make changes to the information security management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of: f) the nature of the nonconformities and any subsequent actions taken, and g) the results of any corrective action. ISO 27000 - Definitions 2.24. Effectiveness: Extent to which planned activities are realized and planned results achieved. © PECB official training – Reproduction prohibited without authorization 62 Section 3: Information Security Management System (ISMS) The objectives and the security controls listed in Annex A are aligned with the security objectives and security controls listed in the various clauses of ISO 27002, clauses 5 to 18. The lists of objectives and security controls contained in Annex A of ISO 27001 are not exhaustive. An organization may consider to include additional security objectives and security controls. © PECB official training – Reproduction prohibited without authorization 63 Section 3: Information Security Management System (ISMS) © PECB official training – Reproduction prohibited without authorization 64 Section 3: Information Security Management System (ISMS) Please read the following parts of the case study provided for this course: • • History of the business enterprise Organization of the business enterprise Basing yourself on this information, determine and explain the three greatest advantages for implementing the ISO 27001 standard for this organization and how they can measure these advantages thanks to metrics. Duration of the exercise: 30 minutes Comments: 15 minutes © PECB official training – Reproduction prohibited without authorization 65 Section 3: Information Security Management System (ISMS) Improvement of security: • General improvement of the effectiveness of information security; • The standard covers both the technological aspects of security as the other aspects: corporate security, physical security, etc. • Independent review of your information security management system; • Better awareness to information security; • Mechanisms to measure the effectiveness of the management system. Good governance: • Awareness and empowerment of personnel regarding information security; • Decrease of lawsuit risks against upper management in virtue of the ‘‘due care’’ and the ‘‘due diligence’’ principles; • The opportunity to identify the weaknesses of the ISMS and to provide corrections; • Increase of the accountability of top management for information security. Conformity: • To other ISO standards; • To OECD (Organization for Economic Co-operation and Development) principles (see ISO 27001, Annex B); • To industry standards, example: PCI-DSS (Payment Card Industry Data Security Standard), Basel II (for banking industry); • To national and regional laws. Cost reduction: • Decision makers often ask to justify the profitability of projects and demand concrete and measurable return-benefits. A new financial evaluation concept has emerged to treat specifically the information security field: Return on Security Investment (ROSI). ROSI is a concept derived from Return on Investment (ROI). It can be interpreted as the security project’s financial profit taking into account its total cost over a given period of time. Marketing: • Differentiation provides a competitive advantage for the organization; • Satisfaction of requirements of customer and/or other stakeholders; • Consolidating confidence of customers, suppliers and partners of the organization. © PECB official training – Reproduction prohibited without authorization 66 Section 3: Information Security Management System (ISMS) © PECB official training – Reproduction prohibited without authorization 67 Section 4: Fundamental principles of information security © PECB official training – Reproduction prohibited without authorization 68 Section 4: Fundamental principles of information security Information system: Collection of material, software and organizational ways that allow to receive, store and process information Clause 8 of Annex A defines the objectives for the security control linked to the management of assets. ISO 27001, A.8.1 - Responsibility for assets Objective: To identify organizational assets and define appropriate protection responsibilities. A.8.1.1 Inventory of assets Control: Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. A.8.1.2 Ownership of assets Control: Assets maintained in the inventory shall be owned. A.8.1.3 Acceptable use of assets Control: Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. A.8.1.4 Return of assets Control: All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. © PECB official training – Reproduction prohibited without authorization 69 Section 4: Fundamental principles of information security Note: • The medium of a document can be paper, magnetic, electronic or optical computer disc, photograph or a combination of these. • A set of documents (for example specifications and records) is frequently called documentation. It is important to make the difference between documents and records. In dictionaries, a record is a type of document, but in the ISO world, these are distinct concepts. A record is the output of a process or control. As an example: 1. An audit procedure is a document. This procedure generates audit report and these audit reports become records. 2. A documented process for management reviews is a document. This process generates records such as management review minutes. 3. A documented procedure for continuous improvement is a document. A filled corrective action form is a record. © PECB official training – Reproduction prohibited without authorization 70 Section 4 : Fundamental principles of information security ISO 27002, clause 0.2: How to establish security requirements It is essential that an organization identifies its security requirements. There are three main sources of security requirements: a) assessing risks to the organization, taking into account the organization’s overall business strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated; b) legal, statutory, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy, and their socio-cultural environment; c) set of principles, objectives and business requirements for information handling, processing, storing, communicating and archiving that an organization has developed to support its operations. Resources employed in implementing controls need to be balanced against the business harm likely to result from security issues in the absence of those controls. The results of a risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. ISO/IEC 27005 provides information security risk management guidance, including advice on risk assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review. © PECB official training – Reproduction prohibited without authorization 71 Section 4: Fundamental principles of information security Other definitions of ISO 27000 2.8. Authenticity: Property that an entity is what it claims to be. 2.54. Non-repudiation: Ability to prove the occurrence of a claimed event or action and its originating entities 2.62. Reliability: Property of consistent intended behaviour and results © PECB official training – Reproduction prohibited without authorization 72 Section 4: Fundamental principles of information security ISO 27001 is an information security standard. This means it applies to the protection of information whatever its type, whether it is numeric, paper or human. Annex A includes control objectives related to the classification of information: ISO 27001, A8.2 – Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. A8.2.1 Classification of information Control: Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. A8.2.2 Labelling of information Control: An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. A8.2.3 Handling of assets Control: Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. © PECB official training – Reproduction prohibited without authorization 73 Section 4: Fundamental principles of information security Confidentiality: Ensure that the information is only accessible to authorized individuals (individuals with a real need). For example, the personal data of salaried employees must only be accessible to authorized Human Resources Department personnel. Several types of access control can ensure the confidentiality of information. Encryption is an example of such an access control. It can be used to protect the confidentiality of information. Access controls can be applied at different levels of an information security management system: • At the physical level (example: locks on doors, filing cabinets that lock, safes etc.) • At the logical level (example: access controls to information) © PECB official training – Reproduction prohibited without authorization 74 Section 4: Fundamental principles of information security Integrity: Data must be complete and intact. For example: Accounting data must comply with reality (complete and exact). The exactness is translated by the absence of alterations in the information. Many devices manipulating data, including disk drives and other media as well as telecommunications systems contain devices for automatic data integrity verification. Data integrity controls are essential in operating systems, software and applications. They allow to avoid intentional or involuntary corruption of programs and data. Integrity controls must be included in the procedures. These contribute to the reduction in the risk of error, theft or fraud. Data validation controls, user training as well as certain controls at the operational level are good examples of this. © PECB official training – Reproduction prohibited without authorization 75 Section 4: Fundamental principles of information security Availability: Information must be easily accessible by individuals who need it. For example, data related to customers must be accessible to the marketing department. In practice, availability of information requires a control system such as, for example, the backup of data, capacity planning, procedures and criteria for approval of the systems, the incident management procedures, the management of removable media, the information processing procedures, the maintenance and testing of equipments, continuity concept procedures as well as the procedures to control the usage of systems. © PECB official training – Reproduction prohibited without authorization 76 Section 4: Fundamental principles of information security The vulnerability assessment can be complicated by a common misperception that weaknesses or shortcomings are always associated with negative characteristics. Many vulnerabilities are indeed negative characteristics as in an information system where the "patches" are not updated. But, in the case of other vulnerabilities, weakness may be associated with positive characteristics that could have undesirable side effects. For example, the mobility of laptops is a desirable benefit for which you pay a higher price, but one advantage that makes them more likely to be stolen. The vulnerabilities can be intrinsic or extrinsic. The intrinsic vulnerabilities are related to the inherent characteristics of the assets. The extrinsic vulnerabilities are related to characteristics of specific circumstances of the asset. For example, a server that has no capacity to process data is a victim of intrinsic vulnerability and if this server is in a basement in a flood zone, it undergoes extrinsic vulnerability. © PECB official training – Reproduction prohibited without authorization 77 Section 4: Fundamental principles of information security Annex D of ISO 27005 provides a typology for classification of vulnerabilities which we could use in principle. However, this list of vulnerabilities should be used with caution. This list is not complete as new vulnerabilities occur regularly due to, among others, evolution and changes in technology. One must use Annex D as a guide or reminder to help organize and structure the collection and collation of relevant data on vulnerabilities rather than as a checklist to follow blindly. © PECB official training – Reproduction prohibited without authorization 78 Section 4: Fundamental principles of information security By definition, a threat has the potential to harm assets such as information, processes and systems and so therefore harm the organizations. It is associated with the negative aspect of risk. The nature of the threat induces it is always undesirable. In interviews, simple language should be used to facilitate the discussion on the threats. For example, one can ask stakeholders for which events they wish to preserve the resources of the organization and provide for this purpose a list of examples. © PECB official training – Reproduction prohibited without authorization 79 Section 4: Fundamental principles of information security Annex C of ISO 27005 provides a typology for classification of threats. We should use the list of threats with caution. This list is not complete, and cannot claim to be exhaustive, since new threats occur regularly due to, among others, technologies and capabilities of threat agents are evolving. We must use Annex C as a guide or checklist to help organize and structure the collection and collation of relevant data on threats rather than as a checklist to follow blindly. © PECB official training – Reproduction prohibited without authorization 80 Section 4: Fundamental principles of information security In itself, the presence of a vulnerability does not produce damage, a threat must exist to exploit it. A vulnerability that doesn’t correspond to a threat may not require the set up of a control, but it must be identified and monitored in case of changes. Note that the incorrect implementation, use or malfunction of a control could, in itself, represent a threat. A control can be effective or ineffective based on the environment in which it operates. On the other hand, a threat that is not vulnerable cannot represent a risk. © PECB official training – Reproduction prohibited without authorization 81 Section 4: Fundamental principles of information security Here is a list of several potential impacts (see ISO 27005, Annex B.2) that can affect either availability, integrity, confidentiality or a combination of any: 01.Financial losses; 02.Loss of assets or of their value; 03.Loss of customers, loss of suppliers; 04.Lawsuits and penalties; 05.Loss of competitive advantage; 06.Loss of technological advantage; 07.Loss of efficiency or effectiveness; 08.Violation of the privacy of users or customers; 09.Service interruption; 10.Inability to provide service; 11.Loss of branding or reputation; 12.Disruption of operations; 13.Disruption or third party operations (suppliers, customers…); 14.Inability to fulfill legal obligations; 15.Inability to fulfill contractual obligations; 16.Endangering safety of staff, users. © PECB official training – Reproduction prohibited without authorization 82 Section 4: Fundamental principles of information security ISO 27000 - Definitions 2.64. Residual risk: The risk remaining after risk treatment. 2.69. Risk acceptance: Informed decision to take a particular risk. 2.70. Risk analysis: process to comprehend the nature of risk and to determine the level of risk 2.71. Risk assessment: Overall process of risk identification, risk analysis and risk evaluation. 2.74. Risk evaluation: Process of comparing the the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable 2.76. Risk management: Coordinated activities to direct and control an organization with regard to risk. 2.79. Risk treatment: Process to modify risk. © PECB official training – Reproduction prohibited without authorization 83 Section 4: Fundamental principles of information security 1. Technical control: Controls related to the use of technical measures or technologies such as firewalls, alarm systems, surveillance cameras, intrusion detection systems (IDS), etc. 2. Administrative control: Controls related to organizational structure such as segregation of duties, jobs rotation, job descriptions, approval processes, etc. 3. Managerial controls: Controls related to the management of personnel, including training and coaching of employees, management reviews and audits. 4. Legal control: Controls related to the applications of a legislation, regulatory requirements or contractual obligations. Note: • An administrative control is more related to the structure of the organization as a whole without being applied by a particular person, while a managerial control is to be applied by managers. • The differences between the types of security controls are explained only for understanding. An organization does not need to qualify the nature of the security controls it implements. © PECB official training – Reproduction prohibited without authorization 84 Section 4: Fundamental principles of information security ISO 27000, clause 2.17. Control objective: Statement describing what is to be achieved as a result of implementing controls. ISO 27000, clause 2.16. Control: measure that is modifying risk [SOURCE: ISO Guide 73:2009, 3.8.1.1] Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk. Note 2 to entry: Controls may not always exert the intended or assumed modifying effect. © PECB official training – Reproduction prohibited without authorization 85 Section 4: Fundamental principles of information security The ISO 27001 standard classifies security controls in three categories: preventive, detective and corrective. Several information security reference frameworks define a classification with more categories. Important note: Please note that these different types of controls are inter-linked. For example, the establishment of an antivirus solution is a preventive control as to protect against malware. At the same time, the virus is a detective measure when it detects a potential virus. Also, it provides a corrective measure when a “suspicious” file is quarantined or deleted. 1. Preventive control Goal: discourage or prevent the occurrence of problems • Detect problems before they occur; • Control operations; • Prevent an error, an omission or malicious acts. Examples • Publication of the information security policy; • Have partners and employees sign a confidentiality agreement; • Establish and maintain appropriate contacts with groups of information security specialists; • Hire only qualified personnel; • Identification of risks from third parties; • Segregation of duties; • Separation of equipment development, testing and operating; • Restrict access to systems during office hours; • Securing offices, rooms and equipment; • Use clearly defined procedures (to prevent errors); • Use well clearly defined procedures (to avoid mistakes); • Use of Cryptography; • Use an access control software that only allows authorized personnel to access sensitive files. © PECB official training – Reproduction prohibited without authorization 86 Section 4: Fundamental principles of information security Detective control Goal: Search for and identify anomalies • Use controls that detect and report the occurrence of an error, omission or malicious act Examples • Check points in production jobs • Echo control in telecommunications • Accountability (capability to associate users and processes to their actions) • Alarms to detect heat, smoke, fire or risks related to water • Verification of calculation doublets • Periodic status report with variances • Internal audit functions • Video cameras • Intrusion detection system (IDS) Corrective control Goal: prevent the repetition of anomalies • Minimize the impact of a threat • Remedy problems discovered by detection controls • Identify the problem causes • Correct errors arising from a problem • Modify the processing system to reduce the presence of future problems to a minimum Examples • Implementing emergency plans with the required training, awareness, testing procedures and maintenance activities • Emergency procedures, such as periodic backups, storage in a safe place and the recovery of transactions • Re-executed procedures © PECB official training – Reproduction prohibited without authorization 87 Section 4: Fundamental principles of information security 2. Detective control Goal: Search for and identify problems • Use controls that detect and report the occurrence of an error, omission or malicious act. Examples • • • • • • • • • • • • Perform a periodic independent review of information security; Monitor and review third-party services; Monitor the resources used by systems; Analysis of audit logs; Integration of checkpoints in the applications in production; Echo control in telecommunications; Alarm triggering when sensing heat, smoke, fire or risk to water; Verification of duplicate calculations in the data processing; Detect break-ins with video cameras; Detection of potential intrusions on networks with an intrusion detection system (IDS); Review of user access rights; Technical review of applications after a modification of the operating system. © PECB official training – Reproduction prohibited without authorization 88 Section 4: Fundamental principles of information security 3. Corrective control Goal: Overcome the problems discovered and prevent the recurrence of problems • Minimize the impact of a threat; • Overcome problems discovered by detection controls; • Identify the causes of the problem; • Correct errors arising from a problem; • Modify the processing system to reduce the presence of future problems to a minimum. Examples • Technical and legal investigation (forensics) following a security incident; • Enabling the business continuity plan after the occurrence of a disaster; • Review of the security policy after the integration of a new division to the organization; • Appeal to authorities to report a computer crime; • Change all passwords of all systems when a successful computer network intrusion has been detected; • Recover the transactions with the backup procedure after the discovery that some data has been corrupted; • Automatic disconnection of idle sessions; • Implementation of patches following the identification of technical vulnerabilities. © PECB official training – Reproduction prohibited without authorization 89 Section 4: Fundamental principles of information security 1. Assets and controls can present vulnerabilities that can be exploited by threats. 2. It is the combination of threats and vulnerabilities that can increase the potential effect of the risk. 3. Controls enable vulnerabilities to be reduced. An organization has few alternatives to act against threats. For example, controls can be implemented to protect against system intrusions, but it is difficult for an organization to take action to reduce the number of hackers on the Internet. © PECB official training – Reproduction prohibited without authorization 90 Section 4: Fundamental principles of information security For each of the following 5 controls, indicate if it used as a preventive, corrective, and/or detective control; and indicate, if the control is an administrative, technical, managerial or legal measure. Explain your answer. Example: The installation of a fence around the site of the organization. It is a preventive control that will help to secure the organization site against unauthorized physical access. The installation of a wire fence is a technical measure that involves material installation. 1. 2. 3. 4. 5. Attribution of information security responsibilities to each member of the organization Implementation of a fire alarm system Encryption of electronic communications Investigate security incident Identification of applicable legislation Duration of the exercise: 20 minutes Comments: 15 minutes © PECB official training – Reproduction prohibited without authorization 91 Section 4: Fundamental principles of information security © PECB official training – Reproduction prohibited without authorization 92 Section 5: Initiating the ISMS implementation Main objectives of initiating the ISMS implementation 1. To determine the methodological approach for the project management of the ISMS implementation 2. Select a project methodology for the ISMS implementation © PECB official training – Reproduction prohibited without authorization 93 Section 5: Initiating the ISMS implementation Definitions related to project management ISO 27003 and ISO 10006 • Project: Unique process, consisting of a set of coordinated and controlled activities with start and finish dates, undertaken to achieve an objective conforming to specific requirements, including the constraints of time, cost and resources (ISO 10006, 3.5) • Activity: Smallest identified item of work in a project process (ISO 10006, 3.1) • Project management: Planning, organizing, monitoring, controlling and reporting of all aspects of a project and the motivation of all those involved in it to achieve the project objectives (ISO 10006, 3.6). • ISMS project: Structured activities undertaken by an organization to implement an ISMS (ISO 27003, 3.1). Notes on terminology 1. The project’s organization is normally temporary and established for the lifetime of the project. 2. An individual project may form part of a larger project structure. 3. The complexity of the interactions among project activities is not necessarily related to the project size. 4. We must distinguish between the ISMS project and the management of operations of an ISMS. Conducting an ISMS project aims to implement a system of information security management. Management of ISMS operations is the daily management and maintenance of the ISMS. Important note: This course main purpose is to explain the methodology for the ISMS management project and not the management control of daily operations. However, a section is devoted to the management of ISMS operations at the end of day 3. © PECB official training – Reproduction prohibited without authorization 94 Section 5: Initiating the ISMS implementation List of activities included in PECB IMS2 methodology with the corresponding input and output Input • Intention of the organization to implement an ISMS Activities 1. Definition of the approach to the ISMS implementation 2. Selection of a methodological framework to manage the ISMS implementation project 3. Alignment with the best practices (read documentation on the best practices used on the market and buy copies of the needed standards) Output • Selection of a project management methodology © PECB official training – Reproduction prohibited without authorization 95 Section 5: Initiating the ISMS implementation An organization wishing to comply with ISO 27001 may consider several approaches based on: • The speed of implementation • The scope • The maturity level targeted of the process and the security controls (compared to the initial ISMS - different approaches) Using a rational approach, it is not unreasonable to consider a period of 6 to 12 months for the project from conception to completion of the first cycle of audits and the monitoring of the system. According to a survey ("ISO 27001 Global Survey 2008, Certification Europe”) of 312 firms certified to ISO 27001, 60% of them, the proposed implementation of the ISMS took less than 12 months and 20%, less than 6 months. It is noteworthy that all firms that have taken less than six months to implement an ISMS had another management system already in place in the organization. © PECB official training – Reproduction prohibited without authorization 96 Section 5: Initiating the ISMS implementation In the case of SMEs, the survey reveals that the average duration of an ISMS project is 6 to 12 months and that 3-4 people part time (effort of 35 to 60 days per person) were involved. For large companies, the average completion time is 12 to 18 months with an average of two people dedicated full time to the project (in addition to many collaborators from time to time). This average shall apply to any type of organization already reasonably secure. That is to say, organizations which have previously implemented security measures commonly used in industry, particularly on the technical level: firewalls, antivirus, etc.. When a limited scope for the ISMS is considered at the start of the project like the approach "IT Governance fast track" (approach to achieve the goal very quickly in a given business context), a medium-sized organization could complete such projects in 4 to 7 months. © PECB official training – Reproduction prohibited without authorization 97 Section 5: Initiating the ISMS implementation Traditionally, the implementation approaches proposed for an ISMS are sequential. The Project plan of the organization is completed prior to the establishment of a project dedicated to the ISMS, as well as phases of monitoring and improvement are activated only when the location of system components has been finalized. In each phase, it is not unusual that security controls are also implemented sequentially (e.g., antivirus policy is developed and approved before the procedures and work instructions concerning the management of this control are actually written and implemented). The major drawback of this approach is that it is a major consumer of time and resources, whether for planning, approval or implementation of the system "piece by piece.“ This approach also removes the management system immediate interest to control since it will have to wait until all pieces of the puzzle are assembled before any direct beneficial effects can be felt within the organization. This approach has the disadvantage of "exhausting" the participants during the implementation process, with thus a major risk of abandonment during the project. © PECB official training – Reproduction prohibited without authorization 98 Section 5: Initiating the ISMS implementation The approach proposed in this course tries to circumvent this difficulty by proposing a philosophy based on 5 Principles to initialize such a system within a reasonable time for the organization: 1. Business Approach - integrated into the business environment of the organization, choose an application domain related to the heart of business. 2. Systems Approach - Overall, no implementation of isolated processes. 3. Systematic Approach - applying the best practices of project management (as, for example, ISO 10006). 4. Integrated Approach - a management system for the overall management of security and not one for SOX, one for Basel 2, one for 27001, etc.. Also, align or integrate the ISMS with other management systems already in place in the organization (Example: ISO 9001) 5. Iterative Approach - rapid establishment of a minimal process and its improvement thereafter in an initial application domain where the actors are identified and involved and the processes defined. © PECB official training – Reproduction prohibited without authorization 99 Section 5: Initiating the ISMS implementation Some recommendations to address properly these principles in the field: 1. Avoid the integration of new technologies - design the initial system with technology already in place in the organization. Most organizations have already established the minimum technology needed to implement an ISMS. Optimization of the ISMS with more efficient technologies can be done at the continuous improvement phase thereafter. 2. Integrate the ISMS in existing processes - reuse everything that can be and is already formalized and put in relation to the requirements of the ISMS framework. Avoid creating any number of processes that do not fit the reality of the organization. 3. Apply the principles of continuous improvement - applying the principles of continuous improvement taking into account the suggestions and improvements suggested by the interested parties in the project. Also, modest goals should be envisaged at the start and a progressive improvement must be set in the long term. 4. Involve stakeholders in the organization - defining the roles and responsibilities of all project stakeholders early in the implementation process, ensuring their involvement and motivation; study their relations and maintain them in the system once initialized. 5. Get support from the management - ensuring that the management understands and supports the project; it will grant the importance and means required in a timely manner, ensuring that the management fulfills its responsibilities for information security Policy, risk management and the regular review of the management system over time. 6. Appoint an ISMS project manager - identify and appoint a responsible and accountable person for project implementation. This is not necessarily the ISMS manager, but this appointment will guarantee the smooth running of operations of establishment, the timing and the support (budget, approvals, etc..) Important Note: It is not mandatory or necessary to implement systems to address complex issues. In most cases, common sense and project management will indicate the course of action to be effective and to remain so. © PECB official training – Reproduction prohibited without authorization 100 Section 5: Initiating the ISMS implementation By following a structured and effective methodology, an organization can be sure to cover all the minimum requirements for the implementation of an management system. Important notes: 1. Whatever methodology used, the organization must adapt it to its particular context (requirements, size of the organization, scope, objectives, etc...) and not apply it like a cookbook. 2. The sequence of steps can be changed (inversion, merge ...). For example, the implementation of the documentation management procedure can be done before the understanding of the organization. 3. Many processes are iterative because of the need for progressive development throughout the implementation project; for example, communication and training. © PECB official training – Reproduction prohibited without authorization 101 Section 5: Initiating the ISMS implementation PECB has developed an approach and methodology for implementing a management system. It is called "Integrated Implementation Methodology for Management Systems and Standards (IMS2)” and is based on best practices. This methodology is based on the guidelines of ISO standards and meets the requirements of ISO 27001. IMS2 is based on the PDCA cycle divided into four phases: Plan, Do, Check and Act. Each phase has between 2 and 8 steps. In turn, these steps are divided into activities, activities in tasks. During the training the steps and activities will be presented and illustrated in the chronological order of the course of an implementation project. Tasks will not be detailed because there are specific for each project and depend on the organization context. For example, the activities 1.4.2 (Establish the ISMS Project Team) will involve a series of tasks such as the description of the job, interview candidates, signing a contract, etc. © PECB official training – Reproduction prohibited without authorization 102 Section 5: Initiating the ISMS implementation ISO 10006: Quality management systems - Guidelines for quality management in projects . ISO 10006 gives guidance on the application of quality management in projects. It is applicable to projects of varying complexity, small or large, of short or long duration, in different environments, and irrespective of the kind of product or process involved. This can necessitate some tailoring of the guidance to suit a particular project. Reference: www.iso.org Project Management Institute (PMI): With more than 240 000 members in over 160 countries, PMI is the largest member association for professionals in project management. PMI is actively committed to the profession, by setting professional standards, conducting research and providing access to a wide range of information and resources. PMI also promotes career and professional development and offers certification, networking and opportunities for improvement to the community. The best-known certification offered by PMI is the Project Management Professional (PMP). The PMI also publishes the PMBOK (Project Management Body of Knowledge) Guide. This reference identifies and describes the knowledge and practices applicable to most projects, and gathering a broad consensus on their values and utilities. The guide recognizes 5 groups of basic processes: initiation, planning, implementation, monitoring and verification, and the closing of a project. The processes are described in terms of: inputs (documents, plans, designs, etc..); tools and techniques (mechanisms applied to inputs) and outputs (documents, products, etc..) Also 9 knowledge areas are defined: Project Integration Management, Project Scope Management, Project Time Management, Project Cost Management, Project Quality Management, Project Human Resource Management, Project Communications Management, Project Risk Management and Project Procurement Management Reference: www.pmi.org © PECB official training – Reproduction prohibited without authorization 103 Section 5: Initiating the ISMS implementation ISO 27003 outlines the major steps in implementing an ISMS. It guides the user and provides assistance to implement the system effectively. The standard contains the following sections: 1. 2. 3. 4. 5. 6. 7. 8. 9. Introduction Scope Terms and definitions Structure of this International Standard Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and information security policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Designing the ISMS The methodological framework proposed by ISO 27003 is generic and applicable to all types of organizations. However, it is not an exhaustive reference and does not claim to be universal. Also, this framework is not a formal methodology because it does not contain an equipped operational approach. It should be noted that its use is not a requirement in itself that can lead to the certification to ISO 27001. The methodology proposed by PECB is based upon part of the approach described in ISO 27003 but does not claim it substitutes it. The objective of this methodology is to make an operational step by step implementation of an ISMS. That is to say, explain with examples and tools, the "how" starting from "what" as described in ISO 27003. Important Note: Please note that during this training, all subjects are not discussed in detail. So, subjects briefly mentioned here, such as the presentation of the 114 security controls in Annex A, should not be regarded as unimportant. © PECB official training – Reproduction prohibited without authorization 104 Section 5: Initiating the ISMS implementation The core of best practices included in the various ISO standards provides access to knowledge which has a large consensus among experts in the information security field. These notions of best practices should not be confused with the requirements of the standards. A good practice is a recommendation not a requirement. This means that each organization is free to use it as a reference or not, or even, to apply it or not. In this training, it was a conscious choice, to present the good practices published in various ISO standards. However, there are several other sources of good practices such as ANSI or the ITIL library. An organization may also refer to ISO 27035 to develop its incident management process. It could equally well be based on ITIL or on CERT guides in that domain. Note on terminology 1. "Good practice" means it is generally recognized that the implementation of recommendations related to the practices described corresponds to activities, tools and techniques widely used by specialists. 2. "Generally recognized" means that the knowledge and/or the practices presented are usually applicable to most organizations as well as their value and utility are subject to a fairly broad consensus © PECB official training – Reproduction prohibited without authorization 105 Section 5: Initiating the ISMS implementation © PECB official training – Reproduction prohibited without authorization 106 Section 6: Understanding the organization and clarifying the information security objectives © PECB official training – Reproduction prohibited without authorization 107 Section 6: Understanding the organization and clarifying the information security objectives Main objectives of this step 1. Understand the organization and its context. 2. Gather the necessary information to plan the ISMS implementation. 3. Ensure that the ISMS objectives are aligned with the business objectives of the organization. Understanding the organization is essential before starting a project to implement an ISMS. The difficulty of this step is to accurately understand how the organization is structured internally and how it is situated in its external environment. It brings together all the necessary information, which is a prerequisite for the realization of a gap analysis between the existing system and the desired one. © PECB official training – Reproduction prohibited without authorization 108 Section 6: Understanding the organization and clarifying the information security objectives An organization wishing to comply with ISO 27001 shall at least: 1. Be able to demonstrate that its ISMS is aligned with its mission and its objectives and business strategies; 2. Identify and document the organization’s activities, functions, services, products, partnerships, supply chains and relationships with interested parties; 3. Define the external and internal factors that can influence the ISMS; 4. Know and take into account issues related to information security within their industrial sector such as risk, legal and regulatory obligations and customer requirements. 5. Establish and document objectives for the ISMS. © PECB official training – Reproduction prohibited without authorization 109 Section 6: Understanding the organization and clarifying the information security objectives © PECB official training – Reproduction prohibited without authorization 110 Section 6: Understanding the organization and clarifying the information security objectives Definitions related to the concept of “organization” ISO 9000 • Organization: person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (ISO 9000, 3.2.1). • Infrastructure: System of facilities, equipment and services needed for the operation of an organization (ISO 9000, 3.5.2). • Requirement: Need or expectation that is stated, generally implied or obligatory (ISO 9000, 3.6.4). Notes on terminology 1. An organization is a structured and usually registered with a government body. This may be, for example: a company, institution, charity, self-employed, an association or a combination thereof. An organization can be public or private. 2. “Infrastructure” can be used as a synonym of “supporting asset” as defined by ISO 27005 (see section 11, day 2). 3. Do not confuse the use of the term "requirement" in the context of the specifications laid down in a standard and "requirements of the organization." The organization's requirements may come from different stakeholders. They can be explicit (defined by contract, agreement, regulation) or implicit (not documented). © PECB official training – Reproduction prohibited without authorization 111 Section 6: Understanding the organization and clarifying the information security objectives List of activities included in PECB IMS2 methodology with the corresponding input and output Input • General information about the organization (Website, annual report, catalogue of products and services, etc.) • Strategic objectives of the organization • List of applicable laws, contracts and signed agreements Activities 1. Understanding of the mission, objectives, values, strategies of the organization 2. Analyzing the external environment 3. Analyzing the internal environment 4. Identification of the key processes and activities 5. Identification of infrastructure 6. Identification and analysis of interested Parties 7. Identification and analysis of business requirements 8. Determination of the ISMS objectives 9. Preliminary definition of the scope Output • Brief description of the organization and its environment • List of stakeholders and their requirements • List of applicable legal, regulatory and contractual obligations • Objectives and priorities related to ISMS • Preliminary Scope © PECB official training – Reproduction prohibited without authorization 112 Section 6: Understanding the organization and clarifying the information security objectives It is necessary to obtain an overview of the organization to understand the security challenges of the organization and the risk inherent in that market segment. General information about the organization concerned should be collected in order to better appreciate its mission, strategies, main purpose, values, etc. This helps ensure consistency and alignment between the strategic objectives for risk management and the organization's mission. Mission: The mission is the reason for the company to exist. This is what justifies what brings the organization to do what she does. For example, the mission of an organization may be to offer customers the best value in terms of furniture, overcome cancer or make affordable motor vehicles. Implications for risk management: The Information Security aims to support the organization in fulfilling its mission to protect its information assets. The information security must therefore be aligned with the corporate mission. Values: Values are the fundamental and enduring beliefs that are shared by members of an organization and influence the behavior of individuals. Implications for risk management: The values of the organization influence the choices made by professionals in IT risk management. For example, values can influence the priorities and policies in terms of evaluating risks. © PECB official training – Reproduction prohibited without authorization 113 Section 6: Understanding the organization and clarifying the information security objectives Objectives: An objective is the result that the organization wants to achieve. These objectives are generally clear, quantified and time bound (5% gain in market share in 24 months, increased from $ 20,000,000 in sales in France 12 months ...). Implications for risk management: As for strategy, risk management must know and be aligned with business objectives to achieve its objectives by identifying information risk that the organization must manage. Strategies: The strategy consists in the definition of actions occurring in a logical sequence to achieve one or more goals. Implications for risk management: The choice of treatment and the resulting actions will also depend on the strategy defined by the organization. © PECB official training – Reproduction prohibited without authorization 114 Section 6: Understanding the organization and clarifying the information security objectives There are several models that have been developed to analyze and understand the strategic context of an organization. Note that this step does not become a project in itself. In most organizations, studies have been conducted internally or by consulting firms on their strategic positioning. It should be enough to just collect these studies, analyze them and interview some key persons to ensure an adequate understanding of the organization. Particular attention should be paid to the identification and analysis of known threats and external security requirements related to the industrial sector of the organization. Also, a marketing analysis could be undertaken to verify if the implementation of an ISMS will generate a competitive advantage for the organization or whether it can become a condition of the market to remain in business. For example, several organizations are considering requesting an ISO 27001 certification from their IT service providers. © PECB official training – Reproduction prohibited without authorization 115 Section 6: Understanding the organization and clarifying the information security objectives Here are some frequently used models: 1. SWOT analysis (Strengths, Weaknesses, Opportunities, Threats): This model is to make a diagnosis of the organization by analyzing its strengths, weaknesses, opportunities and threats in order to formulate policy options and determine where the organization should invest its resources. The main questions to ask in a SWOT analysis are: A. Strengths: What advantages does your organization have? What do you do better than anyone else? What unique or lowest-cost resources can you draw upon that others can't? What do people in your market see as your strengths? What factors mean that you "get the sale"? What is your organization's Unique Selling Proposition (USP)? B. Weaknesses: What could you improve? What should you avoid? What are people in your market likely to see as weaknesses? What factors lose you sales? C. Opportunities: What good opportunities can you spot? What interesting trends are you aware of? D. Threats: What obstacles do you face? What are your competitors doing? Are quality standards or specifications for your job, products or services changing? Is changing technology threatening your position? Do you have bad debt or cash-flow problems? Could any of your weaknesses seriously threaten your business? 2. PEST Analysis (Political, Economic, Social, Technological): The PEST analysis allows the organization to analyze the market forces and opportunities categorized into four areas: social, technological, economic and political. Some authors have added two other categories: legal and environmental. • Strengths: characteristics of the business, or project team that give it an advantage over others. • Weaknesses (or Limitations): are characteristics that place the team at a disadvantage relative to others. • Opportunities: external chances to improve performance (e.g. make greater profits) in the environment. • Threats: external elements in the environment that could cause trouble for the business or project. 3. Five Forces Analysis: This approach consists in modeling the competitive environment of business in the form of five factors that influence the actions within an industry. These five forces consist of the intensity of rivalry among competitors, the bargaining power of customers, the threat of potential entrants in the market, the bargaining power of suppliers, threats of alternative products. © PECB official training – Reproduction prohibited without authorization 116 Section 6: Understanding the organization and clarifying the information security objectives In analyzing the internal environment, it is necessary to identify the structures comprising the various bodies and relations between them (hierarchical and functional). These include segregation of duties, responsibilities, authority and communication within the organization that should be studied. The functions outsourced to the subcontractors should also be identified. The structure of the organization may be of different types: 1. The divisional structure: each division is under the authority of a division director responsible for strategic, administrative and operational decisions within this unit. 2. The functional structure: functional authority exercised over proceedings, the nature of work and sometimes the decisions or planning (e.g. production, information technology, human resources, marketing ...). Notes: • A division within the organization divisional structure can be organized into functions and vice versa. • We say that an organization has a matrix structure where the entire organization is based on the two structure types. • Whatever the structure, the following levels are distinguished: 1. The decision level (responsible for the policy and the strategies) 2. The steering level (responsible for the coordination and management activities) 3. The operational level (responsible for production and support activities) The organizational chart is an excellent tool to get to understand the internal environment. It shows, using a scheme, the structure of the organization. This representation shows the links of subordination and delegation of authority, but also dependencies. Even if the chart illustrates that no formal authority exists, based upon the links, the information flows can be deduced. © PECB official training – Reproduction prohibited without authorization 117 Section 6: Understanding the organization and clarifying the information security objectives It is essential for the ISMS project manager to know the range of products and services of the organization. Indeed, the type of goods and services produced by the organization will have a major impact on its business model and how the organization conducts its business. In addition, products and services may let the organization be exposed to special risks, such as environmental hazards or prosecution. It is also essential for the ISMS project manager to understand the business processes of the organization because it is the conduct of the process that exposes the organization to numerous information security risks. The risk manager should analyze and understand the nature of these processes and determine the direct and indirect risks to which the organization is exposed during operations as was done during the risk analysis. The identification of information assets of the organization is crucial when developing an ISMS. Indeed, the increasingly complex technical management environments tend to make it more and more difficult to protect assets that are constantly evolving, are combined with other assets to form new assets. Thus, the ISMS project manager has to pay particular attention to: • Identify unambiguously which are the owners of assets; • Have the owners to understand, consistently and unambiguously the contours of the assets they are responsible for; • Define for each asset a complete set of related security requirements; • Describe unequivocally where assets are stored, moved and used (whether in a physical or logical way); • Determine the value that the organization attaches to the evaluated assets. That value can be absolute (e.g., a purchase price or replacement) or relative (direct cost or indirect loss caused by this asset). © PECB official training – Reproduction prohibited without authorization 118 Section 6: Understanding the organization and clarifying the information security objectives Despite the fact that the family of ISO 27000 standards is concerned with protecting all information assets, and not only those related to information technologies, the ISMS project manager must understand the process and IT infrastructure of the organization because these processes play a vital part in the processing, transfer and maintenance of organizational information. In ISO 27005, the IT infrastructures belong to the category of the supporting assets In Annex B.1.2., the sub-categories are defined for each asset category with examples. During the second day of the training, we shall see in more detail what is the identification and analysis of risks related to the assets. © PECB official training – Reproduction prohibited without authorization 119 Section 6: Understanding the organization and clarifying the information security objectives ISO 27001 often raises the topic of the interested parties, which in this context denotes the both internal and external interested parties of the organization with interests in the process of information security management. ISO 27001 also stipulates that the ISMS is intended to ensure the selection of appropriate and proportional security controls to protect the assets and give confidence to interested parties. Note on terminology: ISO 27005 also uses the term "stakeholders“ without nuance. Some experts define stakeholders as a sub-category of the interested parties. Stakeholders are those who take direct action in connection with the ISMS (such as employees, customers or suppliers). The media or legislators would only be interested parties because they do not generally work directly related to the ISMS. Definitions Interested party: person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity EXAMPLE Customers , owners, people in an organization, providers , bankers, regulators, unions, partners or society that can include competitors or opposing pressure groups. Note 1 to entry: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original definition has been modified by adding the Example. Reference : ISO 9000, clause 3.2.3 Customer : person or organization that could or does receive a product or a service that is intended for or required by this person or organization EXAMPLE Consumer, client, end-user, retailer, receiver of product or service from an internal process , beneficiary and purchaser. Note 1 to entry: A customer can be internal or external to the organization. Reference: ISO 9000, clause 3.2.4 © PECB official training – Reproduction prohibited without authorization 120 Section 6: Understanding the organization and clarifying the information security objectives In a first step, the ISMS project team should identify all interested parties and their requirements and expectations on information security. It is imperative to identify the interested parties so that they can get involved in the process of risk assessment and implementation of the ISMS. A requirement could be that any violation of information security will not lead to financial hardship and/or will not affect the organization. An expectation might be that if a serious incident occurs, for example, a computer system failure, enough people are trained in adequate procedures to reduce the impact of this incident and restore services quickly. In a second step, the ISMS project team should analyze the security needs of interested parties and confirm that the organization responds to their concerns. This activity can be done by sending a questionnaire, conducting interviews, or by facilitating focus groups. One should also be aware of the service agreements concluded and analyze the security requirements, explicit or implicit, that they contain. In a third step, the ISMS project team should define what is expected of different stakeholders within the project roles, responsibilities and levels of participation required. It should thereby come to a consensus on their involvement with the stakeholders during the planning stage. We must foresee time in the project to support the stakeholders in their assigned tasks (answering questions, consolidating reports, presenting project progress, etc..). Important note: The organization has an obligation to inform all stakeholders of actions and improvements related to information security that could have an impact on them with such a level of detail that is appropriate to the circumstances. The topic will be addressed in the section on training, awareness and communication (Day 3 of the training). (see ISO 27001, Clause 7.2-7.4) © PECB official training – Reproduction prohibited without authorization 121 Section 6: Understanding the organization and clarifying the information security objectives Taking into account the requirements and expectations of interested parties is needed for a successful implementation of the ISMS project. Their requirements and expectations should be fully understood to ensure that processes and security controls are geared to these requirements. We can classify the interested parties into two categories: those who support the project and those who oppose it. Positive interested parties help the ISMS to lead to succeed because it serves their interest. For example, the CIO of an organization might consider it as a positive fact that the ISMS will bring new dimensions of action to the management team to assess security incidents in a more fine way than before, within a standardized governance framework, in order to improve the reporting to the management. Strategy ļ active involvement as a stakeholder. For negative interested parties, the negative logic will impede the smooth running of the project and try to derail it. For example, the head of a department in charge of managing users’ access rights would not be pleased to see that additional security controls are being set up because they could undermine the effectiveness of his team to grant access rights in time or because it might cause his team to increase doing overtime which is difficult to incorporate into the daily work. Strategy ļ contact him on the objectives, highlighting the best interests of the organization, negotiating compromises or neutralize his influence as a last resort. © PECB official training – Reproduction prohibited without authorization 122 Section 6: Understanding the organization and clarifying the information security objectives Other positive examples: • The CFO thinks that the ISMS is a good tool for assessing the value (even relative) of intangible assets of the organization; • The quality manager is motivated by the fact that compliance with the standard ISO 27001 will help to reactivate the quality management process that had been somewhat neglected since the last ISO 9001 certification. Combining both standards also seemed to be a good way to develop economical good practices internally; • The firm's customers perceive compliance to ISO 27001 as a better guarantee that their personal data will be more effectively protected by the supplier; • Etc.. Other negative examples: • The HR manager feels the ISMS as a vector with a certain heaviness, a certain impact on the effective functioning of his department; • The head of physical security (managed by an external company) receives the ISMS as a disruptive element in his role as the ISMS system distributes the roles and responsibilities more granular than before and that it seems that it will reduce the workload ; • The maintenance technicians are reluctant to implement security controls for automated monitoring of servers because they fear that this engenders monitoring of performance losses on production machines • Etc.. One possible way to deal with negative attitudes in relation to the establishment of the ISMS may be to nominate a "ISMS champion". This person, usually a member of the leading team or a person with responsibilities high enough in the organization, could play the role of the "white knight", protector of the ISMS project and guarantees its success. This person is then supposed to embody the will of the management to lead the implementation of the system. As such, he has full power and authority delegated to him to support and to help finalize the project. In contrast to the role of protector, we sometimes develop a kind of "antichampion" or "negative leader" who symbolizes the conflicting interests to realize the project, for whatever reasons. The role of champion is therefore quite useful to counter hostile actions against the project that could come from negative interested parties represented by one or more leaders. © PECB official training – Reproduction prohibited without authorization 123 Section 6: Understanding the organization and clarifying the information security objectives The organization must take into account the requirements of the business and legal or regulatory requirements, and contractual security obligations that were agreed with various interested parties. To do so, we must identify and take into account all the requirements on the organization that could influence the direction for the handling of information security. Finally, they must be included in the risk assessment process by analyzing the risks of non-compliance. It should be noted that for the identification and analysis of legal and contractual requirements, it is necessary to involve legal advisers or lawyers qualified in the field. An expert in information security is usually not suited, for example, to analyze the implications of security laws. © PECB official training – Reproduction prohibited without authorization 124 Section 6: Understanding the organization and clarifying the information security objectives The security requirements for all organizations, small or large, are derived mainly from four sources: 1. Laws and Regulations: see following slides 2. Standards: Organizations must comply with a set of international standards and codes of practice related to their industry sector they have implemented voluntarily. Although adherence to implement regulatory frameworks is a voluntary choice, from the point of view of information security, they become obligations to comply with (with the risk to lose its certification in case of serious failure). 3. Market: The market requirements include all contractual obligations that the organization has signed with its stakeholders. A breach of contractual obligations may result in penalties (when stated in the contracts) or civil suits for damages. Also, the market requirements are all implicit rules that an organization should meet to do business. For example, although the organization has no contractual obligation to deliver its products according to planning, it goes without saying that this is a commercial policy basis to meet the scheduled delivery times. 4. Internal policies: Internal policies include all requirements defined inside the organization: internal policies (human resources, information security, supply chain, etc..) ethical codes, work rules, etc.. In case of failure, we can consider that these are violations of internal policies without necessarily an involvement of any legal considerations. © PECB official training – Reproduction prohibited without authorization 125 Section 6: Understanding the organization and clarifying the information security objectives ISO 27002 IMPORTANT - This publication is not intended to include all provisions necessary for a contract. Users are responsible for its application in the appropriate conditions. Compliance with an ISO/IEC standard confers no exemption to the satisfaction of legal obligations. ISO 27002, domain 18 - Compliance 18.1: Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. 18.1.1: Identification of applicable legislation and contractual requirements Control: All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. Implementation guidance: The specific controls and individual responsibilities to meet these requirements should also be defined and documented. Managers should identify all legislation applicable to their organization in order to meet the requirements for their type of business. If the organization conducts business in other countries, managers should consider compliance in all relevant countries. © PECB official training – Reproduction prohibited without authorization 126 Section 6: Understanding the organization and clarifying the information security objectives It is generally desirable that the expert in information security is working with legal advisers to identify the subjects to analyze and explain the security issues involved. For example, he should explain the lawyer involved in this analysis the mode of operation of the monitoring network, so he can better assess whether it violates a privacy law or any internal regulation of the organization. Moreover, new laws related to privacy issues, financial obligations and corporate governance requires them to monitor their IT infrastructure more responsive and effective than before. Several public and private organizations that deal with these companies are mandated to ensure a minimum level of safety. In the absence of a proactive security, business executives may be exposed to lawsuits (in civil or even sometimes criminal) for breach of their fiduciary and legal responsibilities. In larger companies, demand for legal advice may focus on: 1. Data protection In countries where specific laws exist that cover the safeguarding of confidentiality and data integrity, it is often limited to control of personal data. In the same way that security incidents must be related to the individuals who caused it, personal information should also be subject to management and adequate recording. A structured approach for incident management related to information security should therefore manage the most appropriate measures to protect the privacy. 2. Respect for privacy In compliance with applicable laws, many organizations choose to establish a policy for the protection of privacy, often designed to achieve the following objectives: - Increase awareness of regulatory, legal and business requirements regarding the treatment and protection of personal information; - Establish a clear and complete company policy for the treatment of personal information; - Establish the responsibility of all persons dealing with personal information, and; - Enable the organization to meet its commercial liability, legal and regulatory obligations in respect of personal information. © PECB official training – Reproduction prohibited without authorization 127 Section 6: Understanding the organization and clarifying the information security objectives 3. The identification and prosecution of computer crimes Cyber crime represents a significant threat via the Internet for information systems of an organization. The damage can be really big, and can result in direct financial losses, lost reputation or lost time for the organization. It has many faces and knows no borders. The generic and unstable nature requires the head of the organization (with virtually any structure being connected to an external network) to have the necessary awareness and to have implemented the adequate countermeasures in compliance with applicable laws. Ensure that the collection of evidence respects legislation. Protective measures cannot themselves be crimes (e.g., responding to spam by countermeasures such as buffer overflow attack, ...) 4. The use of digital signature Today, the law recognizes the validity of agreements on the evidence as was already the case based on the non-mandatory rules on evidence. The drafting of these agreements cannot be done no matter how; drafting should proceed in respect to the context in which they fall to be considered valid in case of litigation. In some countries, electronic records must ensure the preservation of "traces" as evidence of integrity and safety procedures developed on the basis of recognized standards for electronic records (e.g., in France, the AFNOR NF Z 42 -013 or more internationally, the standard ISO 14721 for the "transfer systems and spatial information - System Open Archival Information - Reference Model"). 5. Intellectual property The results of intellectual effort is often recognized by national and international conventions as an intellectual property right to protect certain intangible assets. For small and medium enterprises, efficient use of human intellectual property can help compete with bigger companies. Intellectual property has great potential for SMEs in terms of legal protection, information technology and competitive advantage. The goal here is to strengthen the competitive position of the company. 6. Commerce and electronic payments From a legal standpoint, in most countries it is quite essential to prove in court that a customer bought the product or service sold by the company. It should also be possible to satisfy the tax authority to show in which period the individual transactions took place. The big difference between electronic commerce and trade by paper is the medium in which transactions are stored. With proof on paper, a physical change is difficult while a change to an electronic file is easier. Another aspect is the possibility that a competitor may offer the same products from a server located in a tax haven. Finally, when a consumer buys a product on a website, it is not always easy to determine which national law applies. 7. The records management is ensured Some national laws require that companies maintain updated records regarding their activities to the review through a process of annual audit. Similar requirements exist at the governmental level. In some countries, organizations are obliged by law to issue such reports or to provide records for legal purposes (for example, in each case which could be the result of an offense involving penetration of a sensitive Government system). © PECB official training – Reproduction prohibited without authorization 128 Section 6: Understanding the organization and clarifying the information security objectives ISO 27001 and Regulatory Frameworks Example – United States Sarbanes-Oxley Act (2002) The Sarbanes-Oxley Act or SOX was introduced following different financial scandals revealed in the United-States at the beginning of the years 2000, such as the Enron or the WorldCom affaire. It brings crucial legislative changes concerning the financial governance and administration of companies to protect stockholders. SOX is based on the establishment of controls based on the conceptual framework such as COSO (Committee of Sponsoring Organizations of the Treadway Commission) for example. HIPAA (1996) HIPAA (Health Insurance Portability and Accountability Act) is an act that aims to protect the personal information related to the activities of the healthcare industry. Standards established concerning the administrative and financial transactions, security of personal information and unique health identifiers (e.g. insurance number, disease identifier). GLBA (1999) The function of the Gramm-Leach-Bliley Act is to make American financial institutions more competitive. Some clauses of this act force financial institutions to ensure a minimum level of protection of information touching its customers and to implement controls to protect the security of information. Federal Information Security Management Act (2002) FISMA (legislation on information security management) imposes a series of processes that must be followed for any information system used by the American Federal Government, its contractors or suppliers. SB 1386 (2002) California Senate Bill 1386 forces organizations doing business in California and who hold personal information to inform any California resident of any security breach that can affect their personal information. NIST 800-53 (2006) NIST 800-53 (National Institute for Standards and Technology) provides guidelines to secure information systems within the federal government by choosing and specifying security controls. These guidelines apply to every part of an information system that processes, stores, or transmits federal information. It is issued by the U.S. Department of Commerce. © PECB official training – Reproduction prohibited without authorization 129 Section 6: Understanding the organization and clarifying the information security objectives ISO 27001 and Regulatory Frameworks Example – Europe The European Parliament and the European Council have issued several guidelines, regulations and decisions related to information security. These guidelines are strongly based on the protection of European consumer-citizen rights. All guidelines have been transposed in the national legislations of member states. Directive 95/46/EC Directive related to the protection of individuals with regard to the processing of personal data and on the free movement of such data. This Directive applies to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non automated filing systems (traditional paper files). Directive 2002/58/EC Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). This Directive tackles a number of issues of varying degrees of sensitivity, such as the retention of connection data by the Member States for police surveillance purposes (data retention), the sending of unsolicited electronic messages, the use of cookies and the inclusion of personal data in public directories. Regulation (EC) n°45/2001 Regulation concerning the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. The text includes provisions which guarantee a high level of protection of personal data processed by the Community institutions and bodies. It also provides for the establishment of an independent supervisory body to monitor the application of these provisions. Decision 92/242/EEC Decision concerning attacks against information systems. The member states recognized the definitions and the applicable sanctions for several criminal acts: illegal access to information systems, and illegal system interference illegal data interference. The Member States will have to make provision for such offences to be punished by effective, proportionate and dissuasive criminal penalties. Directive 1999/93/EC This Directive establishes the legal framework at the European level for electronic signatures and certification services. The aim is to make electronic signatures easier to use, help them become legally recognized within the Member States and to secure trans-border recognition of signatures and certificates from third party countries. The main provision of the Directive States that an advanced electronic signature based on a qualified certificate satisfies the same legal requirements as a handwritten signature. It is also admissible as evidence in legal proceedings. Directive 2001/29/EC This Directive aims to adapt legislation on copyright and related rights to technological developments and particularly to the information society. The Directive deals with three main areas: reproduction rights, the right of communication and distribution rights. Source: www.europa.eu © PECB official training – Reproduction prohibited without authorization 130 Section 6: Understanding the organization and clarifying the information security objectives ISO 27001 and Regulatory Frameworks Example – International and industry repositories OECD Principles (2002) OECD (Organization for Economic Cooperation and Development) has developed guidelines regulating the security of information systems and networks based on nine principles: awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management and reassessment. Payment Card Industry Data Security Standard (2004) The PCI-DSS standard (data security standard for the payment card industry) consists of a series of technical and operational controls whose goal is to protect organizations against fraud and other threats related to credit cards. This standard applies to any organization that stores, processes or transmits information on credit card holders. Basel II (2004) Second committee of banking control, the Basel agreements, that issue recommendations concerning banking legislations and regulations. The goal of this committee is the creation of international standards for the regulation of banking institutions and systems. Basel II issues 10 principles concerning security which appear in ISO 27001 such as identification, risk assessment and management, internal audit or even still the emergency plan. COBIT (1994+) Developed by the ISACA and the ITGI, CobiT (Control Objectives for Business and related Technology) is a reference frame to manage the governance of information systems. CobiT provides information technology managers, auditors and users with indicators, processes and best practices to help them maximize advantages stemming from the information technologies recourse and the elaboration of the governance and the control of a company. ITIL (1980+) Enacted by the Office of Government Commerce (OGC), Information Technology Infrastructure Library is a set of works listing best practices for IT Service Management (ITSM). © PECB official training – Reproduction prohibited without authorization 131 Section 6: Understanding the organization and clarifying the information security objectives The objectives of a information security management program are the expression of the intent of the organization to treat the risks identified and / or to comply with requirements of organizational security. Initially, it is necessary to establish the objectives of ISMS in consultation with the interested parties. The objectives of the ISMS are needed to determine the scope and must be validated at the highest level of the organization. Goals can be refined during the project, particularly after the completion of the risk analysis. It is clear that the objectives should be formally documented. ISO 27001, clause 6.2 Information security objectives and planning to achieve them The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: a) be consistent with the information security policy; b) be measurable (if practicable); c) take into account applicable information security requirements, and results from risk assessment and risk treatment; d) be communicated; and e) be updated as appropriate. The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine: f ) what will be done; g) what resources will be required; h) who will be responsible; i) when it will be completed; and j) how the results will be evaluated. © PECB official training – Reproduction prohibited without authorization 132 Section 6: Understanding the organization and clarifying the information security objectives The determination of the objectives should take in consideration: • historical risk events within the organization; • current and emerging risk exposures; • operational disruption trends and prior incidents; • cost increases and revenue losses arising from potential disruptions; • risk financing costs; • liabilities; • social responsibilities; • success and failure of other information security projects and programs. © PECB official training – Reproduction prohibited without authorization 133 Section 6: Understanding the organization and clarifying the information security objectives Some topics which should be considered when making the initial decisions regarding scope include: a) What are the mandates for information security management established by organizational management and the obligations imposed externally on the organization? b) Is the responsibility for the proposed in-scope systems held by more than one management team (e.g. people in different subsidiaries or different departments)? c) How will the ISMS-related documents be communicated throughout the organization (e.g. on paper or through the corporate Intranet)? d) Can the current management systems support the organization’s needs? Is it fully operational, well maintained, and functioning as intended? To run the ISMS Project, the organization structure should be defined. The initial scope of the ISMS should be defined at this time to provide management advice to make sound executive decisions. The preliminary definition of the scope is necessary to create a "business case" and a project plan for submission to management approval. The result of this step is a document defining the scope of the ISMS, which includes: a) a summary of the mandates for information security management established by organizational management, and the obligations imposed externally on the organization; b) a description of how the area(s) in scope interact with other management systems; c) a list of the business objectives of information security management (as derived in clause 5.2); d) a list of critical business processes, systems, information assets, organizational structures and geographic locations to which the ISMS will be applied; e) the relationship of existing management systems, regulatory, compliance, and organization objectives; f) the characteristics of the business, the organization, its location, its assets and technology. The common elements and the operational differences between the processes of any existing management system(s) and the proposed ISMS should be identified. © PECB official training – Reproduction prohibited without authorization 134 Section 6: Understanding the organization and clarifying the information security objectives Establish the ISMS management context Proud of the growth of their business, the managers of Extreme Adventure Tours suddenly are concerned about aspects of control and security, especially since there have been some security incidents recently. Because they know you well and they know you are experts in information security, they will entrust the mission to you to assist them with the implementation of an information security management system and to prepare for the ISO 27001 certification. The first step of your mission is to establish the context of the information security management within the organization. For him, it seems the jargon of specialists. he wants you to propose a version that he will approve later. To achieve this, please identify, based upon the information contained in the case study, which would potentially be the three sources of compliance requirements for the organization that you consider most important. Also, please identify which two information assets and two business processes that you consider most critical for the organization. Duration of the exercise: 30 minutes Comments: 15 minutes © PECB official training – Reproduction prohibited without authorization 135 Section 6: Understanding the organization and clarifying the information security objectives © PECB official training – Reproduction prohibited without authorization 136 Section 7: Analysis of the existing management system © PECB official training – Reproduction prohibited without authorization 137 Section 7: Analysis of the existing management system Main objectives of this step 1. Identify the processes, procedures, plans and measures currently implemented within the organization. 2. Identify the actual level of compliance to the requirement of the standard and analyze the gap. 3. Evaluate the effectiveness and maturity level of the processes in place within the organization. Important notes: • There is no requirement to realize a gap analysis in ISO 27001. • The analysis of existing management system should be made to avoid work or unnecessary costs, for example, the duplication of processes or the implementation of unnecessary measures. This action will help to establish a diagnosis between the existing management system and the requirements of ISO 27001. © PECB official training – Reproduction prohibited without authorization 138 Section 7: Analysis of the existing management system List of activities included in PECB IMS2 methodology with the corresponding input and output Input • General information about the organization • Actual documentation on the management system • Previous evaluation of information security topics (consultant report, audit report, management review, etc.) Activities 1. Information gathering about the actual information security practices by the organization with its processes, plans, procedures and measures currently implemented 2. Gap analysis of current management system compliance and effectiveness against the requirement of the standard and document the gap 3. Establishing targets and publication of a gap analysis report Output • List of the actual information security practices by the organization with its processes, plans, procedures and measures currently implemented • Gap Analysis report © PECB official training – Reproduction prohibited without authorization 139 Section 7: Analysis of the existing management system The project team should build a detailed knowledge of the existing management system from the collection of information obtained from multiple stakeholders. An analysis of the existing situation done solely with experts in the domains (internal experts or by external consultants) would be just as biased as when they were excluded. To determine a given state based on a situation at a given moment, the choice of collection method often depends on the type of data to be collected, the public to interview, the available skills in encoding and analyzing of the data in the team doing the interviews. And, of course, available resources (time, budget, etc..). Many methods of data collection are available. To gather the appropriate information in the organization, it may be useful to conduct the following actions: • Examination of documents containing information on security controls (security management process, procedures, description of security controls, security reports, etc..) • Interviews with people responsible for information security and persons who manage the everyday operations related to security controls • Observation of on-site physical security controls • Review results of internal audits • Survey by (semi-automatic) questionnaires Important note: Although some people within the organization may claim that there is no system in place, this is almost never the case. Although they can be very informal, there is always a series of security controls in place and in which way they are more or less effectively managed. © PECB official training – Reproduction prohibited without authorization 140 Section 7: Analysis of the existing management system Some people might question the value of detailed security questions to people without professional experience on matters of risks associated with information protection. Experience shows, however, that it is essential to ascertain the views of stakeholders, expert or not, on its exposure to the resources they manage. Those responsible for business processes will include a much more "business“ oriented view on risks, e.g. the public relations officer will indicate his concern about the risk of image damaging and reputation, etc.. Individual interview Individual interviews are preferred because the auditor can concentrate on the risk assessment of a single person. In general, it is possible to obtain more detailed information (contrary to a group interview where each member gives his summarized opinion) and individual interviews prevent that a dominant member from the group influences the response of others (“sheep” effect). The individual interview enables to more easily: • Read the body language of the individual interviewed • Identify the sensitive elements of the discussion • Ensure the confidentiality of discussions with the interviewee • Adjust the follow-up questions • Obtain detailed information • Avoid having dominant members to influence others Group interview Group interviews are more effective to establish basic criteria to reach a consensus on risk assessment, discuss treatment options, etc.. between the different members of a group. © PECB official training – Reproduction prohibited without authorization 141 Section 7: Analysis of the existing management system Experience shows that the more you prepare an interview, the more productive the meeting will be. One strategy is to build a checklist to ensure that interviews are conducted in a systematic and global manner and that appropriate evidence is obtained. An checklist can include a list of definitions to ensure the uniformity of responses. A checklist should provide suitable space for answers, comments, and observations. The items included in the checklist should include the reference to the related standard. The person interviewed can receive the checklist before the meeting. The checklist allows him to be adequately prepared for the interview. During the interview, it may be useful to translate the specialized terminology related to information security as "threats" and “vulnerability" in a language more meaningful for unskilled stakeholders. One can, for example, use the following wording: "What are you trying to avoid? Or "What do you fear may happen to the resource?" The interview can be recorded if the person agrees to it. However, the most common practice is simply to take notes. Recording the interview can be interpreted as intimidating by the person interviewed and that could influence the interview. Also, we rarely have the time to playback an interview recorded… The interview notes should contain: • Function of the interviewee (usually no name except for members of management: confidentiality) and date. Example: Discussion with employee from information technologies department, September 3, 2006. • Interview objectives Example: Validating conformity of the training plan of the organization. • Summary of evidence collected The information documented must be gathered in a clear, concise and accurate language. We should only write facts, not judgements and identify weaknesses. Then, the identified weaknesses will be reported in the gap analysis. The exact reference to the related standard should be listed with the clause number. © PECB official training – Reproduction prohibited without authorization 142 Section 7: Analysis of the existing management system The Gap Analysis is a technique to determine the steps to move from current state to a desired future state. This is a response to three questions: • What is our current situation? • What is the target? • What is the difference between current and target? A gap analysis is conducted in three stages: 1. Determine the current state: It is to identify, in the organization, the processes and security controls in place with their characteristics. 2. Identification of targets: by comparing with other organizations (or other divisions of the organization) to determine the level of maturity required for each security control (e.g. via the technique of "benchmarking"). 3. Gap analysis: the gap analysis is to identify the gap that may exist between the security controls currently in place and the requirements of ISO 27001. This allows the organization to identify what are the current processes that need improvement(s). The main usefulness of a gap analysis is to provide a basis for identifying and measuring the necessary investments in time, money, human resources and material resources to achieve the proposed implementation of the ISMS. © PECB official training – Reproduction prohibited without authorization 143 Section 7: Analysis of the existing management system The determination of the current state of the process on the effectiveness and the implemented security controls can be undertaken by the project team or outsourced to external consultants to the organization. The advantage of entrusting the analysis to the existing external actors is to receive a report that will theoretically be more neutral and based on verification with the best practices of the industry. To collect the data during the analysis phase, the team responsible for this action is obliged to get to know the situation well. In most cases, much of this analysis will be produced on the basis of responses to structured and semi-structured questionnaires that will, depending on the choice of the researchers or corresponding to contextual conditions, be sent in writing (or electronically) or will be done during interviews; this is called "semi-directive. When using questionnaires, questions can be: • Closed, that is to say they offer a limited choice of answers of which the respondent tick the one(s) of his choice. Note: closed questions have the potential to suggest answers that are not spontaneous. They are especially useful for the study of behavior (nature, frequency etc..). Opinion scales represent a particular format for closed questions. They provide information on the degree of support for a proposal: people must position themselves on a "agreement disagreement" scale of several levels. • Open, that is to say that the respondent has complete freedom of response. Note: with open questions one can collect more nuanced, richer, more complete information. But they are often more difficult to analyze because they generate important content to be exploited by "content analysis". The response rate to these questions is often less important. They are particularly suitable for the analysis of opinions and attitudes. © PECB official training – Reproduction prohibited without authorization 144 Section 7: Analysis of the existing management system Some tips for drafting your questionnaire: • Be sure to build short questionnaires. A too long document may make respondents tired. They might as well skip questions, answer poorly, etc.. • Consider the usefulness of each question. Is it necessary? What use will the answer have? • Consider their encoding when writing questions: foresee a place to record the identification of the questionnaire (to find the corresponding computer file), number your questions and response codes that you use for encoding etc.. • Mix open questions and closed questions, • Pre-test your questionnaire with one or more members of the target public. Once the questionnaires answered, it will be necessary to analyze the results. Some methods of content analysis is quantitative (decomposition, coding, counting, comparisons, correlations etc.).. Others are qualitative (structural analysis, contextualization, formal analysis). All are quite complex. Be familiar with it before you build your data collection tools. © PECB official training – Reproduction prohibited without authorization 145 Section 7: Analysis of the existing management system ISO 21827 is a standard to improve the software development process. It allows an organization to measure its level of maturity and ability to develop its software development. This standard is based on the CMM ® (Capability Maturity Model), originally developed by the Software Engineering Institute at Carnegie Mellon University. The CMM was designed to measure the quality of services provided by software vendors of the Department of Defense (DoD) of the United States. This evaluation and development capacity model is based on a hierarchical grid of five maturity levels (see next slide). The model proposed by ISO 21827 is now widely used by R&D companies and computer service and software vendors to evaluate and improve their own product development. This model has subsequently declined and adapted to other sectors than software engineering including: • • • • CMMi (Capability Maturity Model Integration), which determines the practical development and maintenance of systems and applications. CMM-TSP (Team Software Process), which specifies standardized practices of a team project. CMM-PSP (Personal Software Process), which specifies standardized practices of an individual resource development. SSE-CMM (Systems Security Engineering Capability Maturity Model) that determines the safety practices related to information systems. Many other models and frameworks have adopted the maturity scale CMM. The best known is probably COBIT, issued by ISACA (Information Systems Audit and Control Association). © PECB official training – Reproduction prohibited without authorization 146 Section 7: Analysis of the existing management system To measure, in a precise way, the improvement of the security process during initial implementation of the ISMS but also during the life cycle of the system, it is interesting to lean on methodologies such as CMMI. This model allows, according to the key practices in place to achieve a proactive status for security activities to ensure the service. It is however still insufficient in itself because it must reckon with the culture of the organization and allow a significant time for the organization to reach the necessary maturity. Mapping ISO 27001 on other references of best practices and methods While many companies have recently taken steps to implement references for IT governance the most often cited ones as CMMI, COBIT and ITIL - this raises the question of coherence and mapping these with ISO 27000. Without going into competition, these different standards can complement and enable economies of scale. For example the implementation of CMMI and ITIL processes facilitates the implementation of controls of ISO 27002. COBIT, with its approach to risk management is also a possible choice to aim at implementing ISO 27001. More types of risks are considered than in ISO 27001 (risks affecting the efficiency, reliability and efficiency of information systems, in addition to the criteria more oriented toward security such as confidentiality, integrity the availability or compliance) but the approaches are fundamentally similar. Generally, we can consider that the ISO 27000 are deepening on the subject of information security and risk management, which are discussed more succinctly in other references. It is also worth noting that ISO 20000, the ITIL solution now points directly to the standard ISO 27001 in regard to the information security management process. © PECB official training – Reproduction prohibited without authorization 147 Section 7: Analysis of the existing management system The report should contain at least: 1. A summary description of the observed existing situation; 2. The target of the project; 3. The description of the differences between the situation as presented and the target to be achieved; 4. Various recommendations on how to get there. © PECB official training – Reproduction prohibited without authorization 148 Section 7: Analysis of the existing management system 0. Non-existent: Total absence of identifiable processes. The company is not aware that this is a problem to be studied. 1. Initial: It is obvious that the company is aware of the existence of the problem and the need to study it. However, there is no standardized process, but approaches in this direction tend to be applied individually or on a case by case basis. There is no global approach organized by the management. 2. Managed: Processes have been developed to a stage where different people performing the same task are using the same procedures. There is no formal training or communication of standard procedures and responsibility is left to the individual. It relies heavily on personal knowledge, where a probability of error exists. 3. Defined: Procedures have been standardized, documented and communicated through training sessions. However, their use is left to individual initiative, and it is likely that failures can be detected. Regarding procedures, they are not sophisticated but formalize existing practices. 4. Quantitatively Managed: It is possible to monitor and measure compliance with procedures and take action where processes appear not to function properly. The processes are constantly improved and correspond to good practice. Automation and the use of tools are still limited or partial. 5. Optimized: The process has reached the level of best practices, following a steady improvement in comparison with other organizations (Maturity Model). The computer is used as a way to automate integrated workflow, providing tools that improve quality and efficiency and make the company adapt quickly. © PECB official training – Reproduction prohibited without authorization 149 Section 7: Analysis of the existing management system For the identification of existing and planned security controls, you can use the list of security controls of ISO 27002 (or of ISO 27001, Annex A). This helps to get an overview of the existing status in relation to security best practices. This document summarizes the gap analysis that was made within the company by highlighting the actions to be taken first. Its short term objective is to promote the implementation of corrective or preventive measures for assets with a high risk potential. In the medium and long term the reporting template keeps track of planned measures and the variance analysis carried out, emphasizing the implemented continuous improvement in the organization. © PECB official training – Reproduction prohibited without authorization 150 Section 7: Analysis of the existing management system A very visual way to present the differences that have been measured (and also very revealing to members of the management) is to aggregate data from various tests and to present them, at least those that produce numerical values based on qualitative scales, in a form indicating at a glance what are the positive elements and improvable ones. In the "Radar" chart (also called "spider chart") above, there are as many axes as there are categories. The categories representing the different terms and objectives of the security controls of the 27001 standard, leave all the central point in a classical time sequence. They are shown around the chart (X axis). The values of the series (here, the values assigned by the analysis of process maturity) are displayed within the canvas (Y axis) on an scale of 1 to 5. The presentation in concentric circles shown here may vary depending on whether line segments (lines) connect the data series, forming a "spider web" whose form will vary depending on the number of sets and assigned values to each category of the chart. Advantage of this representation: • There may be several series in a single graph. • It is used in various domains to compare a series against another, as superimposed "spider webs" give a good overview of a situation. © PECB official training – Reproduction prohibited without authorization 151 Section 7: Analysis of the existing management system From the information provided in the case study on the functioning of the change management process, please rate the maturity level of this process. Also, the management of the organization would like to receive recommendations from you to improve the processes in place to comply with the requirements of ISO 27001 on change management. Duration of the exercise: 30 minutes Comments: 15 minutes © PECB official training – Reproduction prohibited without authorization 152 Section 7: Analysis of the existing management system © PECB official training – Reproduction prohibited without authorization 153 Page for Note Taking © PECB official training – Reproduction prohibited without authorization 154 Page for Note Taking © PECB official training – Reproduction prohibited without authorization 155
