ISO/IEC 27001
Standard for Information
Security Management
Systems
© 2013 Cambridge Technical Communicators
Slide 1
Information Security Requirements
• ISO 27001 specifications
• ISO 27002 code of practise
• Download from BSI website:
http://17799.standardsdirect.org
• Information Security Forum (ISF) publish the 2007
Standard of Good Practise (SoGP)
© 2013 Cambridge Technical Communicators
Slide 2
Process
• A) Identify information security risks: threats,
vulnerabilities and impacts
• B) Design/implement information security controls: risk
management - risk avoidance/risk transfer
• C) Maintain security policy/
adopt management process
© 2013 Cambridge Technical Communicators
Slide 3
ISMS
• Information Security Management System
• Broad set of general and IT-specific policies and controls
that span the organisation
• Include IT, HR, management, business continuity,
incident management and other business
functions/areas:
© 2013 Cambridge Technical Communicators
Slide 4
Examples
• Teleworking/home working: access to data
• Training staff: on information security issues and
procedures
• Recruitment: security checks,
• Data retention policies: how long, where stored, how
backups are made, who can assess
• Staff roles: security permissions, access to sensitive
information
• Access to data by third parties and suppliers
© 2013 Cambridge Technical Communicators
Slide 5
Certification process
• Stage 1 - informal review of security documentation
• Stage 2 - formal and detailed compliance audit
• Stage 3 - Follow-up reviews and audits
© 2013 Cambridge Technical Communicators
Slide 6
Security Documents
• Security policy document
• Statement of Applicability (SoA)
• Risk Treatment Plan (RTP)
• Not all requirements in ISO 27001 are mandatory. You
can also define the scope to be covered by the security
policy
© 2013 Cambridge Technical Communicators
Slide 7
Mandatory requirements
•
•
•
•
Define scope
Define ISMS policy
Define roles and responsibilities
Define the risk assessment approach & criteria for
accepting risk
• Define a level of acceptability of risk
• List assets & define owners
• Identify threats, vulnerabilities, impact, likely-hood and
risk for each asset
© 2013 Cambridge Technical Communicators
Slide 8
Mandatory requirements
• Estimate levels of risk and define if risks are acceptable
or not
• Define risk options (accept, transfer, avoid or reduce)
for risks that are not acceptable
• List controls to implement
• Manage lifecycle of documentation
• Obtain management approval of residual; risks and for
implementation plan
• Manage resources
© 2013 Cambridge Technical Communicators
Slide 9
Mandatory requirements
•
•
•
•
•
•
•
•
Manage communications
Implement controls
Implement metric for each control
Monitor performance of the controls
Review effectiveness of the controls
Corrective actions
Preventive actions • Management reviews
Internal audits
• Write statement of applicability
© 2013 Cambridge Technical Communicators
Slide 10
ISMS Project Plan
• Identify documents and procedures required by ISO
27001;
Locate templates and forms
• List activities to implement security plan:
define scope; gap analysis, asset identification, risk
assessment, SOA, policies, business continuity, internal
audit
© 2013 Cambridge Technical Communicators
Slide 11
Thank you
We appreciate your interest in CTC
Tel: +44 0870 803 2095
Email: info@technical-communicators.com
Web: www.technical-communicators.com
© 2013 Cambridge Technical Communicators
Slide 12