SlideShare ist ein Scribd-Unternehmen logo

Information Security Management Systems(ISMS) By Dr Wafula

Als PPT, PDF herunterladen
D
Discover JKUAT

ISO 27001 and ISO 27002 provide guidance for establishing an Information Security Management System (ISMS) to ensure confidentiality, integrity, and availability of information. The document discusses key aspects of an ISMS including (1) defining information security and risks, (2) selecting appropriate controls based on a risk assessment, and (3) implementing the Plan-Do-Check-Act model to establish, operate, monitor, and improve the ISMS over time. Management commitment, clear roles and responsibilities, training, and regular reviews are critical to the successful implementation and maintenance of an ISMS.

Technologie
1 von 17
ISO 27001 and ISO 27002:2005 INFORMATION SECURITY MANAGEMENT SYSTEMS(ISMS) Dr Muliaro J Wafula PhD,FCCS
Aims/objectives 1. Introduction 2. Info security stds ◦ Clauses ◦ Control objectives ◦ controls 3. ISMS Implementation using PDCA Model Dr Muliaro-ISMS 2
Information Security (IS) Defn  Why IS? 1. Ensure business continuity 2. Reduce/prevent damage on business 3. Ensure preservation of confidentiality, integrity and availability of info. Also authenticity , accountability, non-repudation and reliability enhanced. 4. Interconnection of networks pose risk 5. Trends in distributed computing 6. Participation of customers/employees/stakeholder 7. Marketing of products/services 8. Internal management tool-for control & confidence 9. Dependence on Info systems-vulnerable to IS threats 10. Information, systems & networks are key business assets Dr Muliaro-ISMS 3
Information Security Management System (ISMS)  Defination:-  that part of overall magmt system, based on business risk approach, to establish, implement, operate, monitor , review, maintain and improve info security.  A management process with 3 key components: ◦ Confidentiality-available to authorized only ◦ Integrity-accurate and complete Dr Muliaro-ISMS 4
Information Types  Internal  Public  Private  Customer/client  Shared etc Dr Muliaro-ISMS 5
Info security risks  Info theft  Intrusion and subversion of system resources  Denial of services  Loss  Corruption  Masquerade  Paper document  What are the most common IS mistakes made by individuals? Dr Muliaro-ISMS 6
Common IS mistakes 1. Unattended comp. 1. Loose talk about left on p/word in public 2. Bad password 2. Getting into rush & etiquette-no default bypassing key 3. Laptops stolen security measures 4. Keeping p/words 3. Vague knowledge on post-it notes of security policy 5. Opening e-mail 4. Non-reporting of attachments from security violations strangers 5. Late in updating 6. Check in/out workers ethics Dr Muliaro-ISMS 7
Selection of Controls  Its expenditure need to balance against business harm/risk  Common ones include: ◦ Data protection and privacy of personal information (15.1.4) ◦ Protection of org. records (15.1.3) ◦ Intellectual property rights (15.1.2) ◦ Information security policy document (5.1.1) ◦ Business continuity mgt (14) etc Dr Muliaro-ISMS 8
ISO 27002:2005  Provides guidance on best practices for ISM  Prime objectives are: ◦ A common basis for organizations ◦ Build confidence in inter-organizational dealings  It defines a set of control objectives, controls and implementation guidance. Dr Muliaro-ISMS 9
ISO 27001:2005  Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented ISMS  Its designed to ensure adequate security controls to protect info assets, and documenting ISMS  Applicable for assessment and certification Dr Muliaro-ISMS 10
Clauses  Clause 4-8 are mandatory.  How would you ensure that management: ◦ Management is committed to IS? ◦ Establishes roles and responsibilities for IS? ◦ Provides training, awareness and competency? ◦ Carry out review of the ISMS? Dr Muliaro-ISMS 11
PDCA Model: Establishment & Mgmt of ISMS (plan) 1. Scope and boundaries 2. Policy/objectives 3. Define risk assessment approach 4. Identify risk 5. Analyse and evaluate risks 6. Identify and evaluate options of risk treatment 7. Select control objectives and controls 8. Obtain mgmt approval on residual risk 9. Obtain mgmt authorization to implement and operate the ISMS 10. Prepare statement of applicability Dr Muliaro-ISMS 12
PDCA Model: Implementation & Operation of ISMS (Do) 1. Formulate risk treatment plan 2. Implement risk treatment plan 3. Define how to measure effectiveness of selected controls 4. Implement controls selected to meet control objectives 5. Implement training and awareness 6. Manage operations and resources 7. Implement procedures and other controls Dr Muliaro-ISMS 13
PDCA Model: Monitoring & reviewing of ISMS (Check) 1. Execute monitoring procedures and other controls 2. Undertake regular reviews of the effectiveness of ISMS 3. Measure effectiveness of controls 4. Review risks assessments at planned intervals 5. Review level of residual risk and identified acceptable risk 6. Internal ISMS audit/magmt review 7. Update security plans 8. Records actions and events Dr Muliaro-ISMS 14
PDCA Model: Maintaining & Improving of ISMS (ACT) 1. Implement identified improvements 2. Take appropriate corrective and preventive actions 3. Communicate the actions and improvements 4. Ensure improvements achieve intended objectives Dr Muliaro-ISMS 15
ISMS Critical Success Factors 1. Info security policy, objectives, and activities that reflect business objectives 2. An approach and framework to implementing, maintaining, monitoring, and improving IS that is consistent with org. culture 3. Visible support and commitment from all levels of management 4. A good understanding of the information security requirements, risk assessment, and risk management. 5. Effective marketing of IS to all managers, employees, and other parties to achieve awareness 6. Distribution of guidance on IS policy and std to all managers/employees/stakeholders 7. Funding IS management activites 8. Providing appropriate awareness , training, and education 9. Establishment of an effective IS incident mgmt process 10. Implementation of a measurement system for performance in IS mgmt and feedback info for improvment Dr Muliaro-ISMS 16
JKUAT Information Security Policy (JISP)  The specific objectives of information security are to: ◦ Protect information resources from unauthorized access; ◦ Ensure the continuity of systems processing services; ◦ Guarantee the privacy and accuracy of information resources; ◦ Allow proper restoration of the functionality of damaged resources; ◦ Prevent and detect possible threats, violations and security incidents Dr Muliaro-ISMS 17

Empfohlen

Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 

Empfohlen

Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course PreviewInvensis Learning
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxMukesh Pant
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001CUNIX INDIA
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxMukesh Pant
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001CUNIX INDIA
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 

Was ist angesagt? (20)

Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
 

Andere mochten auch

Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-systemintellisenseit
 
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...IndependentCertificationServices
 
Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001qualitysummit
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000Ramana K V
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças Fernando Palma
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
 
The Latest in Cloud Computing Standards
The Latest in Cloud Computing StandardsThe Latest in Cloud Computing Standards
The Latest in Cloud Computing StandardsCA API Management
 
IT Career Opportunities
IT Career OpportunitiesIT Career Opportunities
IT Career Opportunitiessamsontamwaiho
 
Splunk guide for_iso_27002
Splunk guide for_iso_27002Splunk guide for_iso_27002
Splunk guide for_iso_27002Greg Hanchin
 
Tutorial membuat Public Key Infrastructure
Tutorial membuat Public Key InfrastructureTutorial membuat Public Key Infrastructure
Tutorial membuat Public Key InfrastructureSuci Rahmawati
 

Andere mochten auch (20)

Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-system
 
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
 
Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
ISO 27002 Foundation ISFS
ISO 27002 Foundation ISFSISO 27002 Foundation ISFS
ISO 27002 Foundation ISFS
 
Nuevos retos CIO
Nuevos retos CIONuevos retos CIO
Nuevos retos CIO
 
Cloud Services & the Development of ISO/IEC 27018
Cloud Services & the Development of ISO/IEC 27018Cloud Services & the Development of ISO/IEC 27018
Cloud Services & the Development of ISO/IEC 27018
 
Jurnal rangkuman
Jurnal rangkumanJurnal rangkuman
Jurnal rangkuman
 
Security in the cloud
Security in the cloudSecurity in the cloud
Security in the cloud
 
ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Security
 
The Latest in Cloud Computing Standards
The Latest in Cloud Computing StandardsThe Latest in Cloud Computing Standards
The Latest in Cloud Computing Standards
 
PKI in Korea
PKI in KoreaPKI in Korea
PKI in Korea
 
IT Career Opportunities
IT Career OpportunitiesIT Career Opportunities
IT Career Opportunities
 
Splunk guide for_iso_27002
Splunk guide for_iso_27002Splunk guide for_iso_27002
Splunk guide for_iso_27002
 
Tutorial membuat Public Key Infrastructure
Tutorial membuat Public Key InfrastructureTutorial membuat Public Key Infrastructure
Tutorial membuat Public Key Infrastructure
 

Ähnlich wie Information Security Management Systems(ISMS) By Dr Wafula

A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docxCHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docxrobertad6
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingSwati Gupta
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 
ISO_27001___2005_OASIS
ISO_27001___2005_OASISISO_27001___2005_OASIS
ISO_27001___2005_OASISDermot Clarke
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
 
02. ISM - Cyber Security Principles (March 2023).pdf
02. ISM - Cyber Security Principles (March 2023).pdf02. ISM - Cyber Security Principles (March 2023).pdf
02. ISM - Cyber Security Principles (March 2023).pdfleelakrishna298976
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
Safety Management System1SMS-1Jeffrey D Carpenter, CSP.docx
Safety Management System1SMS-1Jeffrey D Carpenter, CSP.docxSafety Management System1SMS-1Jeffrey D Carpenter, CSP.docx
Safety Management System1SMS-1Jeffrey D Carpenter, CSP.docxrtodd599
 

Ähnlich wie Information Security Management Systems(ISMS) By Dr Wafula (20)

A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Isms info
Isms infoIsms info
Isms info
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docxCHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
 
Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
 
ISO_27001___2005_OASIS
ISO_27001___2005_OASISISO_27001___2005_OASIS
ISO_27001___2005_OASIS
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
DR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptxDR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptx
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
02. ISM - Cyber Security Principles (March 2023).pdf
02. ISM - Cyber Security Principles (March 2023).pdf02. ISM - Cyber Security Principles (March 2023).pdf
02. ISM - Cyber Security Principles (March 2023).pdf
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
 
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
 
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
BLE 1213 MUST (PSY - Session 1).pptx-Student HO.
 
Safety Management System1SMS-1Jeffrey D Carpenter, CSP.docx
Safety Management System1SMS-1Jeffrey D Carpenter, CSP.docxSafety Management System1SMS-1Jeffrey D Carpenter, CSP.docx
Safety Management System1SMS-1Jeffrey D Carpenter, CSP.docx
 

Mehr von Discover JKUAT

Paper on entrepreneurship and organization performance - Samule Obino Mokaya
Paper on entrepreneurship and organization performance - Samule Obino MokayaPaper on entrepreneurship and organization performance - Samule Obino Mokaya
Paper on entrepreneurship and organization performance - Samule Obino MokayaDiscover JKUAT
 
Project control tools by Samuel obino mokaya
Project control tools by Samuel obino mokayaProject control tools by Samuel obino mokaya
Project control tools by Samuel obino mokayaDiscover JKUAT
 
Paper on risk management by Samuel Obino Mokaya
Paper on risk management by Samuel Obino MokayaPaper on risk management by Samuel Obino Mokaya
Paper on risk management by Samuel Obino MokayaDiscover JKUAT
 
Paper on intrepreneurship and organization performance by Samuel Obino Mokaya
Paper on intrepreneurship and organization performance by Samuel Obino MokayaPaper on intrepreneurship and organization performance by Samuel Obino Mokaya
Paper on intrepreneurship and organization performance by Samuel Obino MokayaDiscover JKUAT
 
Project monitoring and evaluation by Samuel Obino Mokaya
Project monitoring and evaluation by Samuel Obino MokayaProject monitoring and evaluation by Samuel Obino Mokaya
Project monitoring and evaluation by Samuel Obino MokayaDiscover JKUAT
 
Implementing Business Continuity With The Bs25999 Standard By Dennis
Implementing Business Continuity With The Bs25999 Standard By DennisImplementing Business Continuity With The Bs25999 Standard By Dennis
Implementing Business Continuity With The Bs25999 Standard By DennisDiscover JKUAT
 

Mehr von Discover JKUAT (6)

Paper on entrepreneurship and organization performance - Samule Obino Mokaya
Paper on entrepreneurship and organization performance - Samule Obino MokayaPaper on entrepreneurship and organization performance - Samule Obino Mokaya
Paper on entrepreneurship and organization performance - Samule Obino Mokaya
 
Project control tools by Samuel obino mokaya
Project control tools by Samuel obino mokayaProject control tools by Samuel obino mokaya
Project control tools by Samuel obino mokaya
 
Paper on risk management by Samuel Obino Mokaya
Paper on risk management by Samuel Obino MokayaPaper on risk management by Samuel Obino Mokaya
Paper on risk management by Samuel Obino Mokaya
 
Paper on intrepreneurship and organization performance by Samuel Obino Mokaya
Paper on intrepreneurship and organization performance by Samuel Obino MokayaPaper on intrepreneurship and organization performance by Samuel Obino Mokaya
Paper on intrepreneurship and organization performance by Samuel Obino Mokaya
 
Project monitoring and evaluation by Samuel Obino Mokaya
Project monitoring and evaluation by Samuel Obino MokayaProject monitoring and evaluation by Samuel Obino Mokaya
Project monitoring and evaluation by Samuel Obino Mokaya
 
Implementing Business Continuity With The Bs25999 Standard By Dennis
Implementing Business Continuity With The Bs25999 Standard By DennisImplementing Business Continuity With The Bs25999 Standard By Dennis
Implementing Business Continuity With The Bs25999 Standard By Dennis
 

Kürzlich hochgeladen

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Information Security Management Systems(ISMS) By Dr Wafula

  • 1. ISO 27001 and ISO 27002:2005 INFORMATION SECURITY MANAGEMENT SYSTEMS(ISMS) Dr Muliaro J Wafula PhD,FCCS
  • 2. Aims/objectives 1. Introduction 2. Info security stds ◦ Clauses ◦ Control objectives ◦ controls 3. ISMS Implementation using PDCA Model Dr Muliaro-ISMS 2
  • 3. Information Security (IS) Defn  Why IS? 1. Ensure business continuity 2. Reduce/prevent damage on business 3. Ensure preservation of confidentiality, integrity and availability of info. Also authenticity , accountability, non-repudation and reliability enhanced. 4. Interconnection of networks pose risk 5. Trends in distributed computing 6. Participation of customers/employees/stakeholder 7. Marketing of products/services 8. Internal management tool-for control & confidence 9. Dependence on Info systems-vulnerable to IS threats 10. Information, systems & networks are key business assets Dr Muliaro-ISMS 3
  • 4. Information Security Management System (ISMS)  Defination:-  that part of overall magmt system, based on business risk approach, to establish, implement, operate, monitor , review, maintain and improve info security.  A management process with 3 key components: ◦ Confidentiality-available to authorized only ◦ Integrity-accurate and complete Dr Muliaro-ISMS 4
  • 5. Information Types  Internal  Public  Private  Customer/client  Shared etc Dr Muliaro-ISMS 5
  • 6. Info security risks  Info theft  Intrusion and subversion of system resources  Denial of services  Loss  Corruption  Masquerade  Paper document  What are the most common IS mistakes made by individuals? Dr Muliaro-ISMS 6
  • 7. Common IS mistakes 1. Unattended comp. 1. Loose talk about left on p/word in public 2. Bad password 2. Getting into rush & etiquette-no default bypassing key 3. Laptops stolen security measures 4. Keeping p/words 3. Vague knowledge on post-it notes of security policy 5. Opening e-mail 4. Non-reporting of attachments from security violations strangers 5. Late in updating 6. Check in/out workers ethics Dr Muliaro-ISMS 7
  • 8. Selection of Controls  Its expenditure need to balance against business harm/risk  Common ones include: ◦ Data protection and privacy of personal information (15.1.4) ◦ Protection of org. records (15.1.3) ◦ Intellectual property rights (15.1.2) ◦ Information security policy document (5.1.1) ◦ Business continuity mgt (14) etc Dr Muliaro-ISMS 8
  • 9. ISO 27002:2005  Provides guidance on best practices for ISM  Prime objectives are: ◦ A common basis for organizations ◦ Build confidence in inter-organizational dealings  It defines a set of control objectives, controls and implementation guidance. Dr Muliaro-ISMS 9
  • 10. ISO 27001:2005  Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented ISMS  Its designed to ensure adequate security controls to protect info assets, and documenting ISMS  Applicable for assessment and certification Dr Muliaro-ISMS 10
  • 11. Clauses  Clause 4-8 are mandatory.  How would you ensure that management: ◦ Management is committed to IS? ◦ Establishes roles and responsibilities for IS? ◦ Provides training, awareness and competency? ◦ Carry out review of the ISMS? Dr Muliaro-ISMS 11
  • 12. PDCA Model: Establishment & Mgmt of ISMS (plan) 1. Scope and boundaries 2. Policy/objectives 3. Define risk assessment approach 4. Identify risk 5. Analyse and evaluate risks 6. Identify and evaluate options of risk treatment 7. Select control objectives and controls 8. Obtain mgmt approval on residual risk 9. Obtain mgmt authorization to implement and operate the ISMS 10. Prepare statement of applicability Dr Muliaro-ISMS 12
  • 13. PDCA Model: Implementation & Operation of ISMS (Do) 1. Formulate risk treatment plan 2. Implement risk treatment plan 3. Define how to measure effectiveness of selected controls 4. Implement controls selected to meet control objectives 5. Implement training and awareness 6. Manage operations and resources 7. Implement procedures and other controls Dr Muliaro-ISMS 13
  • 14. PDCA Model: Monitoring & reviewing of ISMS (Check) 1. Execute monitoring procedures and other controls 2. Undertake regular reviews of the effectiveness of ISMS 3. Measure effectiveness of controls 4. Review risks assessments at planned intervals 5. Review level of residual risk and identified acceptable risk 6. Internal ISMS audit/magmt review 7. Update security plans 8. Records actions and events Dr Muliaro-ISMS 14
  • 15. PDCA Model: Maintaining & Improving of ISMS (ACT) 1. Implement identified improvements 2. Take appropriate corrective and preventive actions 3. Communicate the actions and improvements 4. Ensure improvements achieve intended objectives Dr Muliaro-ISMS 15
  • 16. ISMS Critical Success Factors 1. Info security policy, objectives, and activities that reflect business objectives 2. An approach and framework to implementing, maintaining, monitoring, and improving IS that is consistent with org. culture 3. Visible support and commitment from all levels of management 4. A good understanding of the information security requirements, risk assessment, and risk management. 5. Effective marketing of IS to all managers, employees, and other parties to achieve awareness 6. Distribution of guidance on IS policy and std to all managers/employees/stakeholders 7. Funding IS management activites 8. Providing appropriate awareness , training, and education 9. Establishment of an effective IS incident mgmt process 10. Implementation of a measurement system for performance in IS mgmt and feedback info for improvment Dr Muliaro-ISMS 16
  • 17. JKUAT Information Security Policy (JISP)  The specific objectives of information security are to: ◦ Protect information resources from unauthorized access; ◦ Ensure the continuity of systems processing services; ◦ Guarantee the privacy and accuracy of information resources; ◦ Allow proper restoration of the functionality of damaged resources; ◦ Prevent and detect possible threats, violations and security incidents Dr Muliaro-ISMS 17