End to End Security Management with ISO 27001 PETER H. GREGORY CRISC, CISA, CISSP, DRCE, CCSK About Me Security and risk manager, Concur Technologies Affiliations – ¡ Pacific CISO Forum ¡ Infragard ¡ FBI Citizens’ Academy, 2008 Author of ~27 books on security and technology Certified [motorcycle] rider coach petergregory (at) yahoo.com peter.gregory (at) concur.com What is end to end security management? Risk-based Management supported Scope ¡ All parts of the business ¡ All parts of the technology ¡ All of the people ÷ or some well-defined and logical scope What is effective security management? Supported by senior management Includes ¡ Periodic risk assessments ¡ Review and testing of controls ¡ Management review ¡ Continuous improvement Supported by ¡ Documented processes ¡ Business records There is a recipe for effective, end to end security management Inside ISO 27001 Requirements ¡ Steps to establish and maintain an effective information security management system (ISMS) Controls ¡ The controls from ISO 27002 in abbreviated form ÷ A good controls framework that is very similar to NIST 800-53 The Big Picture ISO 27001 Requirements – big picture ¡ Establish, Operate, Monitor, Review the ISMS ¡ Establish and maintain ISMS records ¡ Establish effective document and records control ¡ Management commitment and management reviews ¡ Resource management ¡ Perform internal audits ¡ Continuous improvement The Big Picture ISO 27001 Requirements Detail (1/6) 1. Establish the ISMS ¡ Scope, boundaries ¡ Policy ¡ Risk assessment ¡ Risk treatment ¡ Statement of applicability 2. Operate the ISMS ¡ Implement controls ¡ Perform risk assessments, risk treatment ¡ Implement training and awareness programs ¡ Implement security incident detection and response processes ISO 27001 Requirements Detail (2/6) 3. Monitor and review the ISMS ¡ Detect and respond to errors ¡ Identify security breaches and incidents ÷ Learn from breaches and incidents, make needed changes Manage and measure security-related activities ¡ Measure the effectiveness of controls ¡ Review risk assessments ¡ Conduct internal audits ¡ Conduct regular management reviews ¡ Update security strategies and plans ¡ Record actions and events that may impact the ISMS ¡ ISO 27001 Requirements Detail (3/6) 4. Establish and maintain ISMS records ¡ ISMS policy, scope, objectives, procedures, controls ¡ Risk assessment methodology and report ¡ Risk treatment plan ¡ Documented procedures ¡ Statement of Applicability 5. Establish effective document control ¡ Revision, distribution, publication 6. Control of Records ¡ …which document the management of the ISMS ISM 27001 Requirements Detail (4/6) 7. Management commitment ¡ Communicating to the organization ¡ Providing resources ¡ Conducting management reviews 8. Resource management ¡ Provide resources to operate the ISMS ¡ Training, awareness, and competence 9. Perform internal ISMS audits ISO 27001 Requirements Detail (5/6) 10. Conducting management reviews ¡ Review inputs: results of audits and reviews, feedback from relevant parties, status of preventive and corrective actions, new vulnerabilities and threats, results from effectiveness measurements, recommendations for improvement ¡ Outputs from management review: update of the risk assessment and treatment plan, modifications to procedures and controls (business requirements, security requirements, legal requirements, contractual obligations, risk acceptance criteria), resource needs, improvements ISO 27001 Requirements Detail (6/6) 11. ISMS Improvement ¡ Continual improvement ¡ Corrective action process ÷ Identifying nonconformities, their cause, actions to ensure they do not recur, method of corrective action, results, subsequent review ¡ Preventive action process ÷ Identifying potential nonconformities, their possible cause, actions to ensure they do not occur, method of preventive action, results, subsequent review Why? _X_ Security ___ Compliance The ISO 27001 Standard Pros ¡ Well known international standard ¡ Fits every organization that wants top-down security management and wants to improve ¡ Risk-based – not prescriptive Cons ¡ The document itself is expensive (~$300) ¡ Alternatives ÷ NIST 800-26 (self assessment) ÷ NIST 800-30 (risk assessments) ÷ NIST 800-39 (enterprise risk management) ÷ NIST 800-53 (controls) How to do it Policies, procedures, records Annual risk assessment Incident management system Vulnerability management system Corrective and preventive action process Steering committees Above all: a spirit of continuous improvement Concur and ISO 27001 Concur certified starting in 2004 ¡ BS 7799, ISO 27001 ¡ 18th U.S. company to be certified to ISO 27001 Your Turn: Questions