End to End Security
Management with ISO 27001
PETER H. GREGORY
CRISC, CISA, CISSP, DRCE, CCSK
About Me
—  Security and risk manager, Concur Technologies
—  Affiliations –
¡  Pacific CISO Forum
¡  Infragard
¡  FBI Citizens’ Academy, 2008
—  Author of ~27 books on security and technology
—  Certified [motorcycle] rider coach
petergregory (at) yahoo.com
peter.gregory (at) concur.com
What is end to end security management?
—  Risk-based
—  Management supported
—  Scope
¡  All parts of the business
¡  All parts of the technology
¡  All of the people
÷  or
some well-defined and logical scope
What is effective security management?
—  Supported by senior management
—  Includes
¡  Periodic risk assessments
¡  Review and testing of controls
¡  Management review
¡  Continuous improvement
—  Supported by
¡  Documented processes
¡  Business records
There is a recipe for effective, end to end security management
Inside ISO 27001
—  Requirements
¡  Steps to establish and maintain an effective information
security management system (ISMS)
—  Controls
¡  The controls from ISO 27002 in abbreviated form
÷  A
good controls framework that is very similar to NIST 800-53
The Big Picture
ISO 27001
—  Requirements – big picture
¡  Establish, Operate, Monitor, Review the ISMS
¡  Establish and maintain ISMS records
¡  Establish effective document and records control
¡  Management commitment and management reviews
¡  Resource management
¡  Perform internal audits
¡  Continuous improvement
The Big Picture
ISO 27001 Requirements Detail (1/6)
1.  Establish the ISMS
¡  Scope, boundaries
¡  Policy
¡  Risk assessment
¡  Risk treatment
¡  Statement of applicability
2.  Operate the ISMS
¡  Implement controls
¡  Perform risk assessments, risk treatment
¡  Implement training and awareness programs
¡  Implement security incident detection and response processes
ISO 27001 Requirements Detail (2/6)
3.  Monitor and review the ISMS
¡  Detect and respond to errors
¡  Identify security breaches and incidents
÷  Learn
from breaches and incidents, make needed changes
Manage and measure security-related activities
¡  Measure the effectiveness of controls
¡  Review risk assessments
¡  Conduct internal audits
¡  Conduct regular management reviews
¡  Update security strategies and plans
¡  Record actions and events that may impact the ISMS
¡
ISO 27001 Requirements Detail (3/6)
4.  Establish and maintain ISMS records
¡  ISMS policy, scope, objectives, procedures, controls
¡  Risk assessment methodology and report
¡  Risk treatment plan
¡  Documented procedures
¡  Statement of Applicability
5.  Establish effective document control
¡  Revision, distribution, publication
6.  Control of Records
¡  …which document the management of the ISMS
ISM 27001 Requirements Detail (4/6)
7.  Management commitment
¡  Communicating to the organization
¡  Providing resources
¡  Conducting management reviews
8.  Resource management
¡  Provide resources to operate the ISMS
¡  Training, awareness, and competence
9.  Perform internal ISMS audits
ISO 27001 Requirements Detail (5/6)
10.  Conducting management reviews
¡  Review inputs: results of audits and reviews, feedback from
relevant parties, status of preventive and corrective actions,
new vulnerabilities and threats, results from effectiveness
measurements, recommendations for improvement
¡  Outputs from management review: update of the risk
assessment and treatment plan, modifications to procedures
and controls (business requirements, security requirements,
legal requirements, contractual obligations, risk acceptance
criteria), resource needs, improvements
ISO 27001 Requirements Detail (6/6)
11.  ISMS Improvement
¡  Continual improvement
¡  Corrective action process
÷  Identifying
nonconformities, their cause, actions to ensure they do
not recur, method of corrective action, results, subsequent review
¡
Preventive action process
÷  Identifying
potential nonconformities, their possible cause, actions
to ensure they do not occur, method of preventive action, results,
subsequent review
Why?
_X_ Security
___ Compliance
The ISO 27001 Standard
—  Pros
¡  Well known international standard
¡  Fits every organization that wants top-down security
management and wants to improve
¡  Risk-based – not prescriptive
—  Cons
¡  The document itself is expensive (~$300)
¡  Alternatives
÷  NIST
800-26 (self assessment)
÷  NIST 800-30 (risk assessments)
÷  NIST 800-39 (enterprise risk management)
÷  NIST 800-53 (controls)
How to do it
—  Policies, procedures, records
—  Annual risk assessment
—  Incident management system
—  Vulnerability management system
—  Corrective and preventive action process
—  Steering committees
—  Above all: a spirit of continuous improvement
Concur and ISO 27001
—  Concur certified starting in 2004
¡  BS 7799, ISO 27001
¡  18th U.S. company to be certified to ISO 27001
Your Turn: Questions