ISACA Lietuvos skyriaus (180) Birželio mėnesio susitikimas ISMS Implementation Pitfalls & Misconceptions JATIN SEHGAL Quality Manager EY CertifyPoint 2010-06-16 0 Agenda Confidential 01 Introduction to ISO/IEC 27003:2010 02 Completing the Deming Cycle (Plan-Do-Check-ACT) 03 Achieving performance during ISMS implementation 04 Defining Scope & Boundaries of ISMS 05 Challenges faced by organizations when implementing an ISMS 06 Common Pitfalls and Mistakes in ISMS Implementation. ISMS Implementation – “Pitfalls & Misconceptions” 1 Introduction to ISO/IEC 27003:2010 Confidential ISMS Implementation – “Pitfalls & Misconceptions” 2 ISO 27003:2010 - Introduction 1. Introduction 2. Scope 3. Terms and definitions 4. Obtaining management approval for initiating an ISMS project 5. Defining ISMS scope, boundaries and ISMS policy 6. Conducting information security requirements analysis 7. Conducting risk assessment and planning risk treatment 8. ISMS improvement 9. Designing the ISMS 10. Appendix A : Checklist description 11. Appendix B : Roles and responsibilities for Information Security 12. Appendix C : Information about Internal Auditing 13. Appendix D: Structure of policies 14. Appendix E: Monitoring and measuring This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. Confidential ISMS Implementation – “Pitfalls & Misconceptions” 3 What do you want to achieve? Security Security Certification Certification Confidential ISMS Implementation – “Pitfalls & Misconceptions” 4 Completing the Deming Cycle (Plan-Do-Check-ACT) Confidential ISMS Implementation – “Pitfalls & Misconceptions” 5 The DEMING CYCLE – Plan, Do, Check, Act Plan Act 3 1 Deming Cycle 2 DoDo Check Confidential ISMS Implementation – “Pitfalls & Misconceptions” 6 Information Security Management System ► A management system is a proven framework for managing and continually improving an organization's policies, procedures and processes. ► An ISMS is part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. ► A management system is a means by which business processes remain concurrent with business and are repeatable. Combined with the information security objectives, ISMS is defined using a Plan- Do-Check-Act cycle. ►Plan-Do-Check-Act is a cyclical process ► With each iteration you can expand the policy and objectives, and the scope of the ISMS. Confidential ISMS Implementation – “Pitfalls & Misconceptions” 7 Information Security Management System Documentation requirements ► A successful ISMS Meeting Requirements of ISO 27001:2005 requires documentation ► If an organization is planning to become certified, documentation will be essential ► Certifying bodies performing audits will use documentation as integral component of certification process ► This is where many companies fail! Management requirements ► ISO/IEC 27001:2005 defines certain management responsibility and requirements ► These include commitments to the ISMS, resource management, and training, awareness, and readiness ► Management needs to understand the key role they play in a successful ISMS Information Security Control requirements ► Based on the outcome of IS risk assessment and management decision (expectations) Confidential ISMS Implementation – “Pitfalls & Misconceptions” 8 The ISMS in More Detail Establish ISMS •Define the scope & Boundaries •Define ISMS policy •Define risk assessment approach •Identify and assess risks •Evaluate options for treatment of risks •Selection of controls (annex A) •Obtain management approval •Prepare a Statement of Applicability Plan Maintain and improve ISMS •Implement identified improvements •Take corrective and preventive actions •Communicate actions and improvements Act Do Implement and operate ISMS •Formulate and implement risk treatment plan •Implementing selected controls •Implement training and awareness programs •Manage operations of the ISMS •Manage resources for the ISMS •Implement procedures for detecting/handling security incidents Confidential Check Monitor and review ISMS •Execute monitoring procedures •Review and measure effectiveness of ISMS •Conduct internal ISMS audits •Undertake management review •Update security plans •Record actions and events that impact ISMS ISMS Implementation – “Pitfalls & Misconceptions” 9 Introduction to Information Security Management System (3) Management framework policies relating to ISO 27001:2005 Requirement 4 Level 2 Level 3 Level 4 Confidential ISMS Design Level 1 Policy, scope risk assessment, statement of applicability Describes processes – who, what, when, where (4.1- 4.10) Describes how tasks and specific activities are done Provides objective evidence of compliance to ISMS requirements clause 3.6 Policies/Procedures Work Instructions, checklists, forms, etc. Records ISMS Implementation – “Pitfalls & Misconceptions” 10 Achieving performance during ISMS implementation Confidential ISMS Implementation – “Pitfalls & Misconceptions” 11 Achieving performance during ISMS implementation ► Spend time to clearly define the scope & boundaries of ISMS. ► Develop an ISMS Project Plan and get it approved by Management. ► Identify Quick Win Solutions and Do not wait for the release of ISPP. ► Keep the release date and effective date of ISMS with some gap to identify opportunities for improvement. ► Keep management involved at each step and define critical success factors. ► Categorize implementation of Security Controls based on the “High”, “Medium” and “Low” priority. ► Identify implementation interdependencies at an initial stage and prioritize accordingly. ► Keep pace with the changes in the security environment that might affect implementation. ► Treat it like a formal security project. ► Arrange workshops, awareness sessions and prepare communication strategies to spread knowledge from the beginning. ► Secure required resources for the project before initiating. Confidential ISMS Implementation – “Pitfalls & Misconceptions” 12 Defining Scope & Boundaries of ISMS Confidential ISMS Implementation – “Pitfalls & Misconceptions” 13 Defining Scope & Boundaries of ISMS ► Office Buildings, ► Rooms, ► Remote Locations, ► Sites, etc. Location Organization & Structure ► Hardware, ► Software, ► People, ► Services, etc. ISMS SCOPE ► Departments, ► Business Processes, ► Roles, etc. Enterprise Assets Technology ► Applications, ► Servers, ► Network Infrastructure, ► Domains/Security Zones, etc. Confidential ISMS Implementation – “Pitfalls & Misconceptions” 14 Challenges faced by organizations when implementing an ISMS Confidential ISMS Implementation – “Pitfalls & Misconceptions” 15 Challenges faced by organizations when implementing an ISMS ► Lack of management commitment (inadequate governance/enforcement) and budget; ►Bringing the cultural change in the organization (resistance by employees or feeling of security as an additional burden); ►Lack of skilled resources; ► Unclear or unrealistic scope and boundaries of ISMS (confusion on where to start and where to stop); ►Legacy systems hinder the implementation of security controls; ►Confusion related with automation or manual use of processes; ► Too many tools to choose from, but none suiting to exact requirements; ►Fear of loosing operations leading to a sluggish progress; ►Lack of clarity of end results; ►Roles not clear to employees; ►Lack of knowledge of risk exposures or changes to the risk appetite; ►Lack of ownership & integration amongst various (in scope) departments; ►A perception of ISMS as a highly complex system and seemingly huge task; ►To many versions of same document resulting in confusion. Confidential ISMS Implementation – “Pitfalls & Misconceptions” 16 Common Pitfalls and Mistakes in ISMS Implementation Confidential ISMS Implementation – “Pitfalls & Misconceptions” 17 Common Pitfalls ►Pressure to go in for certification immediately after the implementation of an ISO 27001 ISMS. ►Lose sight on the mandatory requirements of ISO 27001:2005. ►Written policies and procedures that are not mapped to SoA and ISMS requirements; ► Risk assessment results are not linked with selection of controls; ► Evidence of management support not enough or clear; ►Security policies are vague (too high level) or too complex; ►Lack of understanding of security responsibilities and management intent; ► Lack of resources for ISMS implementation leading to a unmanageably long project; ► No way of fully understanding the security program deficiencies, and having a standardized way of improving upon the deficiencies; ► Lack of knowledge of applicable regulations, laws, or policies; ► Relying fully on technology or on manual procedures for all security solutions; ► A “fire alarm” approach to any breaches instead of a calm proactive and detective approach; ► A false sense of security with an undercurrent of confusion; ►Lack of integration with business processes ►Bypassing policies and taking exceptions, loosing the spirit of ISMS. Confidential ISMS Implementation – “Pitfalls & Misconceptions” 18 Questions Confidential ISMS Implementation – “Pitfalls & Misconceptions” 19 Confidential Ernst & Young CertifyPoint Thank You Jatin Sehgal +31 6 2908 4825 Jatin.sehgal@nl.ey.com