Session 1
ISMS Concepts
•
•
•
•
•
Information and Information Security
Information Security Management System
Purpose of ISMS
Process of developing ISMS
Characteristics of good ISMS
What is Information ?
Information is an asset that, like other important business assets,
is essential to an organization’s business and consequently needs
to be suitably protected. (ISO/ IEC 27002)
Asset: Anything that has value to the organization
Can exist in many forms








data stored on computers
transmitted across networks
printed out
written on a paper sent by fax
stored on disks
held on microfilm
spoken in conversations over the
telephone
..
Information Life Cycle
Information can be :
Created
Stored
Processed
Transmitted
Destroyed ?
Copied
Used– (for proper and improper purposes)
Lost!
Corrupted!
Whatever form the information takes, or means by which it is
shared or stored, it should always be appropriately protected
throughout its life cycle
ISMS Auditor / Lead Auditor Training Course Version 4.4
2
Some Common Security Concerns to
Information Assets
High User
knowledge of IT
sys.
Theft , Sabotage,
Misuse, Hacking
Version Control
Problems
VSAT
Leased
Dial In
Unrestricted Access
INET
Systems / Network
Failure
Virus
Lack of documentation
Fire
Natural calamities
ISMS Auditor / Lead Auditor Training Course Version 4.4
3
What is needed?
Management concerns
•
Market reputation
Security
Measures/Controls
•
Business continuity
•
Technical
•
Disaster recovery
•
Procedural
•
Business loss
•
Physical
•
Loss of confidential data
•
Logical
•
Loss of customer
confidence
•
Personnel
•
Legal liability
•
Management
•
Cost of security
ISMS Auditor / Lead Auditor Training Course Version 4.4
Examples ?
4
Information Security ……
Information Security is about protecting Information
through selection of appropriate Security Controls
 protects information from a range of threats
 ensures business continuity
 minimizes financial loss
 maximizes return on
investments and business
opportunities
ISMS Auditor / Lead Auditor Training Course Version 4.4
I
n
f
o
r
m
a
t
i
o
n
S
y
s
t
e
m
s
L
o
y
S
g
t
i
i
c
r
a
u
l
c
e
P
h
y
S
y
t
i
s
r
i
c
u
a
c
l
e
y
t
i
r
O
r
u
g
c
a
n
e
i
s
S
a
l
t
i
a
o
r
n
P
u
a
l
d
a
e
n
c
d
r
o
5
Objectives of Information
Security
Preservation of
Confidentiality :
Ensuring that information is available to only those
authorised to have access.
Integrity
:
Safeguarding the accuracy and completeness of
information & processing methods.
Availability
:
Ensuring that information and vital services are
available to authorized users when required.
ISMS Auditor / Lead Auditor Training Course Version 4.4
6
Information Security Model
ISMS Auditor / Lead Auditor Training Course Version 4.4
7
Why ISMS ?
 Information security that can be achieved through technical
means is limited
 Security also depends on people, policies, processes and
procedures
 Resources are not unlimited
 It is not a once off exercise, but an ongoing activity
All these can be addressed effectively and
efficiently only by establishing a proper
Information Security Management System(ISMS)
ISMS Auditor / Lead Auditor Training Course Version 4.4
8
Information Security Management
System (ISMS)
 ISMS is that part of overall management system based on a
business risk approach to
•
•
•
•
•
•
•
Establish
Implement
Operate
Monitor
Review
Maintain &
Improve
Information security
 ISMS is a management assurance mechanism for security of
information asset concerning its
• availability
• integrity and
• Confidentiality
ISMS Auditor / Lead Auditor Training Course Version 4.4
9
Process for developing an
ISMS
Selection of controls
(ISO/IEC 27001)
Legal Requirements
Business Requirements
Information
Security
Management
System
Security Requirements
Risk Assessment
Threats &
Vulnerabilities
Assessment
Assets
identification
& valuation
ISMS Auditor / Lead Auditor Training Course Version 4.4
Policy,
Procedures
& Controls
10
Characteristics of a good ISMS
Prevention
Reduction
Threat
Detection
Repression
Correction
Evaluation
ISMS Auditor / Lead Auditor Training Course Version 4.4
Incident
Damage
Recovery
11
ISMS Standards
 ISO/ IEC 27001 : 2005
• A specification (specifies requirements for implementing,
operating, monitoring, reviewing, maintaining & improving a
documented ISMS)
• Specifies the requirements of implementing of Security
control, customised to the needs of individual organisation or
part thereof.
• Used as a basis for certification
 ISO/IEC 27002 : 2005 (Originally ISO/IEC 17799:2005)
•
•
•
•
A code of practice for Information Security management
Provides best practice guidance
Use as required within your business
Not for certification
Both ISO 27001 and ISO 27002 security control clauses
are fully harmonized
ISMS Auditor / Lead Auditor Training Course Version 4.4
12
Requirements Terminology
General Guidelines
General
ISMS family of Standards: Relationship
ISO 27000 : 2009
Overview and Vocabulary
ISO 27001 : 2005
ISO 27006: 2006
Requirements
Certification body Requirements
ISO 27002 : 2005
ISO 27007:2010?
Code of Practice
Audit Guidelines
ISO 27003:2010
ISO 27005:2008
Implementation Guidance
Risk Management
ISO 27004:2009
Measurements
Sector Specific
Guidelines
ISO 27011:2009
Telecommunications Organizations
ISO 27799:2008
Status as on 31st March,2010
Health Organizations
ISMS Auditor / Lead Auditor Training Course Version 4.4
13
Other Related Standards
 ISO/ IEC TR 18044:2004
• IT Security techniques — Information security incident management
 ISO/IEC 17021
• Conformity assessment — Requirements for bodies providing audit and
certification of management systems
 ISO/IEC 19011:2002
• Guidelines for management system auditing
ISMS Auditor / Lead Auditor Training Course Version 4.4
14
PDCA Model applied to ISMS
Processes
Plan
Establish
ISMS
Act
Do
Interested
Parties
Development,
Implement &
Maintain &
Maintenance and
Operate ISMS Improvement Cycle Improve ISMS
Information
Security
Requirements
& Expectations
ISMS Auditor / Lead Auditor Training Course Version 4.4
Monitor &
Review ISMS
Interested
Parties
Managed
Information
Security
Check
15
ISO 27001 Structure
IEEE/EIA 12207.0-1996
(A Joint Standard Developed by IEEE and EIA)
Reproduced by GLOBAL
ENGINEERING DOCUMENTS
With The Permission of IEEE
Under Royalty Agreement
IEEE/EIA Standard
Industry Implementation of
International Standard
ISO/IEC 12207 : 1995
(ISO/IEC 12207) Standard for Information
TechnologySoftware life cycle processes
March 1998
THE INSTITUTE OF ELECTRICAL
AND ELECTRONICS
ENGINEERS, INC.
ELECTRONIC INDUSTRIES ASSOCIATION
ENGINEERING DEPARTMENT
1.
2.
3.
Scope
Normative References
Terms & Definitions
4. Information Security Management System
4.1 General
4.2 Establish and manage ISMS
4.3 Documentation
4.3.3 Control of Records
5. Management Responsibility
5.1 Management Commitment
5.2 Resource Management
6. Internal ISMS Audits
7. Management Review of the
ISMS
8. ISMS Improvement
ISMS Auditor / Lead Auditor Training Course Version 4.4
8.1 Continual Improvement
8.2 Corrective Actions
8.3 Preventive Actions
Annexure A,B & C
16
ISMS process framework
requirements
ISO 27001 Clause 4-8
ISMS process framework
requirements
4. Information Security Management System
• 4.2
• 4.3
Establishing and managing the ISMS
Documentation requirements
5. Management Responsibility
6. Internal ISMS Audits
Why conduct Internal Audits?
Who conducts Internal Audits?
7. Management Review of the ISMS
8. ISMS Improvements
ISMS Auditor / Lead Auditor Training Course Version 4.4
What is the difference between
Corrective Action and
Preventive action?
18
ISMS control requirements
Annexure – A : Control
objectives & controls
ISO 27001: Control Objectives
and Controls
39 Control
Objectives
Satisfies
Objectives
Specifies
Requirements
133 Controls
11 Domains
ISMS Auditor / Lead Auditor Training Course Version 4.4
20
Structure of Annexure-A
A.5 Security Policy
A.6 Organization of Information Security
A.7 Asset Management
A.8 Human
Resources
Security
A.9 Physical &
environmental
A.10 Communications
security
& operations
management
A.12 Info. Systems
Acquisition
development &
maintenance
A.11 Access control
A.13 Information Security Incident Management
A.14 Business Continuity Management
A.15 Compliance
ISMS Auditor / Lead Auditor Training Course Version 4.4
21
ISO 27002 Structure
 1 introductory clause on Risk assessment and
Treatment.
 11 security Control Clauses (fully harmonised with ISO
27001)
 39 main Security categories each containing
• Control Objective and
• One or more control to support achievement of control
objective
 Control descriptions each containing
• Control statement
• Implementation Guidance
• Other Information
ISMS Auditor / Lead Auditor Training Course Version 4.4
22
Session 05
ISMS Implementation, Documentation,
Maintenance & Improvement
• Action plan for ISMS implementation
• Activities in establishing, implementing, monitoring
and improving ISMS
• Documentation requirements of ISMS
Preparation & Implementation
 Management Decision & Continued Commitment
 Study ISO 27001:2005
 Establish ISMS Framework
•
•
•
•







Establish Security Organization, Responsibility & Infrastructure
Designate Chief Information Security Officer
Establish Security Forum
Encourage Participation by All
Develop Inventory of Assets
Gap Analysis / Status Appraisal
Establish ISMS
Document
Create Awareness - Provide Training(s) as needed
Implement
Monitor
•
•
•
Technical Compliance
Internal ISMS Audits
Management Review
 Update & Continually Improvement
ISMS Auditor / Lead Auditor Training Course Version 4.4
24
Establishing and Managing
ISMS
1.
2.
3.
4.
Establish ISMS (PLAN)
Implement ISMS (DO)
Monitor and review ISMS (CHECK)
Maintain & Improve ISMS (ACT)
The participants in four groups are to identify various activities identified
under PLAN, DO, CHECK and ACT .
Preparation time : 10 min.
ISMS Auditor / Lead Auditor Training Course Version 4.4
25
ISMS Documentation
Why Documentation?
What needs to be documented ?
What are the mandatory Procedures required by ISO
27001 ?
Documents and records can be in any form or type of
medium
ISMS Auditor / Lead Auditor Training Course Version 4.4
26
Typical ISMS Document
Classification
 Security Policy Manual
•
Summary of management framework including the information
security policy and the control objectives and implemented
controls given in the statement of applicability.
 Procedures
•
Procedures adopted to implement the controls required.
 Operational Documents
•
Explains details of specific tasks or activities.
 Records
•
Evidence of activities carried out.
ISMS Auditor / Lead Auditor Training Course Version 4.4
27
Extent of Documentation
Size & Type of organization
Complexity & interaction of processes
Details in Documentation
Complexity of Infrastructure
Competence of Personnel
ISMS Auditor / Lead Auditor Training Course Version 4.4
28
Session 11
Certification Industry & Process
• Certification Process
• ISMS certification and Legal compliance
Certification Process
Application
Application Fee
Supporting Documents
Cursory Evaluation
Adequacy Assessment
Stage 1 Audit
Stage 2 Audit
Certification
Maintenance of Certification
Other Aspects
Renewal
Modification to Scope of Certification
Suspension/Withdrawal/Cancellation
Appeals & Complaints
ISMS Auditor / Lead Auditor Training Course Version 4.4
30
Basic Requirements for
Certification - 1
Evidence of creation of ISMS through system
requirements:
 Information Security Policy
 Scope Statement
 Risk Assessment
 Statement of Applicability
 The Management System
ISMS Auditor / Lead Auditor Training Course Version 4.4
31
Basic Requirements for
Certification - 2
Evidence of operation of Management controls:
 Management Review
 Various forms of system review
 Document management
 Records Management
 Existence of essential controls
 Implementation & effectiveness of controls selected
as applicable
ISMS Auditor / Lead Auditor Training Course Version 4.4
32
Maintenance of Certification
 Surveillance Audits
• The purpose of surveillance is
o to verify that the approved ISMS continues to be implemented,
o to consider the implications of changes to that system initiated as a
result of changes in the client organization’s operation and
o to confirm continued compliance with certification requirements.
• Surveillance programs should normally cover
o the system maintenance elements which are internal ISMS audit,
management review and preventive and corrective action;
o changes to the documented system;
o areas subject to change;
o selected elements of ISO/IEC 27001;
o other selected areas as appropriate.
ISMS Auditor / Lead Auditor Training Course Version 4.4
33
ISMS Certification V/s Legal
Compliance
 ISMS Certification is a voluntary Certification and is not a substitute
for compliance to legal requirements. Compliance with ISO 27001
does not in itself confer immunity from legal obligations.
 The maintenance and evaluation of legal and regulatory compliance
is the responsibility of the client organization.
 The certification body shall restrict itself to checks and samples in
order to establish confidence that the ISMS functions in this regard.
 The certification body shall verify that the client organization has a
management system to achieve legal and regulatory compliance
applicable to the information security risks and impacts.
ISMS Auditor / Lead Auditor Training Course Version 4.4
34
Benefits of ISO27001
Certification
An internationally recognized structured
methodology
A single reference point for identifying a range
of controls needed for most situations where
information systems are used
A defined process to evaluate, implement,
maintain and manage information security
The standard provides a yardstick against which security can
be judged
A set of tailored policy, standards, procedures
and guidelines
Facilitation of Trade in trusted environment
ISMS Auditor / Lead Auditor Training Course Version 4.4
35