First Practice - Information Security
Management System Implementation and
ISO 27001 Certification
Scope
• NBG Services
• Evaluation criteria
• Services and Business processes
• Evaluation results
• ISO/IEC 27001:2013 Certification
• Legal requirements
Scope
• International Payment and Reserve Management
Service
• Georgian Payment and Security Settlement Service
• Human resources, Public Relations, Chancellery,
Logistics, Legal, Accounting, Internal Audit)
• All Types of Information Assets
Approach
Goals
• Ensure compliance
Confidentiality, Availability And Integrity needs.
• Establish controls for protection.
• Motivate employees
• Ensure in continuity.
• Ensure the protection of personal data (privacy).
• Ensure the availability and reliability of
Infrastructure.
• Comply with - ISO/IEC 27001:2013.
• Ensure in external service providers compliance.
• Ensure flexibility and an acceptable level of
InfoSec security
Acceptable Level
Current CMM Level
Req. CMM Level
A.5 Information Security Policies
5 4
A.6 Organisation of information
A.18 Compliance
4
security
4
4
3
A.17 Information security aspects of
business continuity management 4
4 A.7 Human resources security
3
2
3
2 1
A.16 Information security incident
4
management
4 A.8 Asset management
1
3
2
0
3
A.15 Supplier relationships 4
1
4 A.9 Access control
3
A.14 System acquisition,
4
development and maintenance
4 A.10 Cryptography
3
3
3
A.13 Communications security
4
4
A.12 Operations security
4A.11 Physical and environmental
security
Initiation Project
• Competent Consultancy service
• Accreditation requirements
• Tender documentation
• Service requirements
• Project Management Practice
Policy
•
•
•
•
•
•
•
•
•
•
Context of the National Bank of Georgia
Scope (Procedure)
policy (Policy)
Objectives (Procedure)
Roles and Responsibilities (Procedure)
Risk management (Procedure)
Documented information (Procedure)
Internal audit (Procedure)
ISMS Policy Manual
Employee Guidelines National Bank of Georgia
Policy Cont.
•
•
•
•
•
•
•
•
Business Continuity Plan
BCP Procedure (Procedure)
Business continuity (policy)
Risk treatment plan
Statement of Applicability (SoA)
Plan to archive Information security objectives
Contracting rules and templates
Contract template with new employee (Contract
template)
• Internal audit plan
• Information classification rule (Procedure)
• Awareness program and training presentation
Records, Reports
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Business impact analysis (Record)
BCP Testing and Maintenance Cycles (Record)
BCP Testing Report (Report)
Assets register (Report)
Risk identification and assessment (Report)
Risk treatment report (Report)
ISMS objectives status report (Report)
Evidence of competence (Record)
Monitoring and measurement (Record)
Internal audit program (Record)
Internal Audit report (Report)
List of corrective actions with results of effectively analysis (Record)
ISMS Management review (Record)
ISMS Contacts with authorities and special groups (Record)
List of suppliers related to ISMS (Record)
Regulation about acceptance of residual risks (Report)
Decision Making
• Maximum 1 Working day
• Information security management committee and
working group
• Change management committee
• Business continuity management committee and working
group
• 2 months for 1 Service.
Acceptable Level
A.5 Information Security Policies
5
A.6 Organisation of information
A.18 Compliance
security
4
A.17 Information security aspects
of business continuity
management
3
A.7 Human resources security
2
A.16 Information security incident
management
1
A.8 Asset management
0
A.15 Supplier relationships
A.9 Access control
A.14 System acquisition,
development and maintenance
A.10 Cryptography
A.11 Physical and environmental
security
A.13 Communications security
A.12 Operations security
Current CMM Level
Req. CMM Level
Audit Result
• No critical nonconformities
• No nonconformities
• Several recommendations
• 8 domains are on fifth level of CMM
• 6 domains are on fourth level of CMM
• ISO/IEC 27001:2013 cerficate
Thank You