Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

How to determine a proper scope selection based on ISO 27001?

Meeting Clause 4 - Context of the Organization "generic" requirements of ISO 27001 in order to determine a proper Documented Scope statement that meets business requirements and gives value to products and/or services.

Main points that have been covered are:
• Interested Parties
• Interfaces & Dependencies
• Legal / Regulatory & Contractual Obligations (Risk of Non-Compliance)
• Documented Scope Statement (including locations within Scope)

Presenter:
Mr. David Anders has worked more than 20+ years in the risk management field managing a broad spectrum of consulting services and product solutions. David has worked in the consulting field for 16 years and is the founder / CEO of SecuraStar, LLC, a niche ISO 27001 consulting firm in the United States and founder / CEO of ISMS Manager Software, LLC.

Link of the recorded session published on YouTube: https://youtu.be/hSaAvKgAC2c

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

How to determine a proper scope selection based on ISO 27001?

  1. 1. © iCertWorks 2015
  2. 2. © iCertWorks 2015 David Anders CEO - President Mr. David Anders has worked more than 20+ years in the risk management field managing a broad spectrum of consulting services and product solutions. David has worked in the consulting field for 16 years and is the founder / CEO of SecuraStar, LLC, a niche ISO 27001 consulting firm in the United States and founder / CEO of ISMS Manager Software, LLC. Contact Information 855-476-2701 info@SecuraStar.com www.SecuraStar.com linkedin.com/in/andersdave
  3. 3. © iCertWorks 2015 3 © iCertWorks 2015 INTELLECTUAL PROPERTY STATEMENT The information contained within this Presentation prepared for PECB is and will remain the intellectual property of SecuraStar, LLC., iCertWorks, LLC. and/or ISOmanager Software, LLC. Any attempt to copy, reproduce, disassemble, decipher, reconfigure, reverse engineer, decompile, alter or make derivatives or improvements to or from any information provided in this presentation including copyrights, patents, trade secrets, trademarks, ideas or any other intellectual property rights may result in criminal and civil prosecution worldwide. By continuing to watch this presentation, you agree both personally and/or for your organization not to illegally violate any of our intellectual property rights.
  4. 4. © iCertWorks 2015 4 What are the ISO 27001 Generic Requirements? Clause 4 - Context of the Organization 4.1 - Understanding the organization and its context 4.2 - Understanding the needs and expectations of interested parties 4.3 - Determining the scope of the information security management system 4.4 - Information security management system
  5. 5. © iCertWorks 2015 5 GENERIC REQUIREMENTS? ……..then how do you implement ISO 27001? Lets start by establishing a step-by-step process in a FRAMEWORK
  6. 6. © iCertWorks 2015 6 Start Building the Framework 10 - IMPROVEMENT 6 - PLANNING 8 - OPERATION 9 – PERFORMANCE EVALUATION MONITOR & MEASURE BUSINESS CONTINUITY PLAN AUDIT PROGRAM RISK MANAGEMENT ASSET INVENTORY RISK ASSESSMENT BUSINESS CONTINUITY PLAN SERVICE AGREEMENTS (OLA / SLA) POLICIES PROCESSES PROCEDURES TRAINING & AWARENESS OBJECTIVES PREVIOUS AUDITS & REVIEWS SERVICE AGREEMENTS (OLA / SLA) MANAGEMENT REVIEW RISK ASSESSMENT APPROACH POLICIES PROCESSES PROCEDURES CORRECTIVE ACTION PROCEDURE CORRECTIVE ACTION RECORD SEECONTROLDIAGRAM RISK TREATMENT OPTIONS 5 - LEADERSHIP & COMMITMENT INFORMATION SECURITY POLICY & OBJECTIVES ROLES, RESPONSIBILITIES & AUTHORITIES © SecuraStar, Inc. 2012 REPRODUCTION PROHIBITED 4 - CONTEXT OF THE ORGANIZATION SCOPE & BOUNDARIES LEGAL REGULATORY CONTRACTUAL RISK TREATMENT PLAN INTERNAL AUDITS EXTERNAL AUDITS LEGAL REGULATORY CONTRACTUAL ISMS METRICS STATEMENT OF APPLICABILITY 7 - SUPPORT RESOURCES COMPETENCE TRAINING & AWARENESS COMMUNICATION CONTROL OF DOCUMENTS CONTROL OF RECORDS ISO 27001 (2013) FRAMEWORK™
  7. 7. © iCertWorks 2015 7 4 – Context of the Organization 4 - CONTEXT OF THE ORGANIZATION SCOPE & BOUNDARIES LEGAL REGULATORY CONTRACTUAL These are two basic outputs of the Context of the Organization that we use in our framework based on the ISO 27001 requirements. Before we arrive at those two outputs, we can document a step-by-step / chronolgical process to show we considered everything and came up with the right scope.
  8. 8. © iCertWorks 2015 8 Agenda 4 - Context of the Organization Legal, Regulatory & Contractual Requirements4 Scope of the ISMS3 Internal / External Issues1 Needs & Expectations of Interested Parties2
  9. 9. © iCertWorks 2015 9 Context of the Organization Before begining to build and ISMS, we must first determine the context of the organization and how it might effect the Scope (aka: “the information we are trying to protect”). The context includes: How and why the business operates, business requirements, products, services, interested parties, interfaces & dependencies, legal / regulatory & contractual requirements, etc. This context may also include: • Internal : policies, objectives, governance, culture, etc. • External : factors that are relevant to information security (geographic, political, legal, financial, etc.) Internal / External Issues1
  10. 10. © iCertWorks 2015 10 Interested Parties List all interested parties including: executive management, shareholders, employees, clients, government, etc. and their requirements for information security. Needs & Expectations of Interested Parties2 Interested Parties Information Security Requirements Legal Regulatory Contractual In / Out of ISMS Scope Executive Management Intellectual Property Legal Out Trade Secrets Legal Out Patents or Patents Pending Legal Out Copyrighted Information Legal Out Product Liability (Products) Legal Contractual In Professional Liability (Services) Legal Contractual In
  11. 11. © iCertWorks 2015 11 Compliance List all the legal / regulatory & contractual requirement of the organization. Needs & Expectations of Interested Parties2 Requirement Legal / Regulatory Contractual In / Out of Scope Soc 1 (SSAE 16) Contractual In-Scope HIPAA / HITECH Legal / Regulatory In-Scope FISMA Legal / Regulatory In-Scope PCI - DSS Contractual Not in Scope Microsoft Contract Contractual Not in Scope
  12. 12. © iCertWorks 2015 12 Needs & Expectations of Interested Parties2 Internal Providers (OLA) Name Interfaces or Dependencies Human Resources HR Mgr Hiring of all Employees, background checks, termination Business Operations COO Service Contract negotiations (SLA) IT IT Mgr Network Security, Access Control, Computer Hardware & Software External Providers (SLA) Name Interfaces or Dependencies Legal ABC Law Firm Network Security, Access Control, Office Facilities Leased Office Property Physical Security, Access Control Cloud Services Amazon Web Services (AWS) Data storage, data security, business continuity (backups) Interfaces and Dependencies Internal and External service providers to the scope (information we are trying to protect)
  13. 13. © iCertWorks 2015 13 *ISO 27001 requires mandatory compliance to legal / regulatory & contractual requirements within the scope. • HIPAA / HITECH – Healthcare Requirements • PCI – Payment Card Industry • FISMA • SOX • SSAE 16 • Any client contractual agreements regarding information security Legal, Regulatory & Contractual Requirements4
  14. 14. © iCertWorks 2015 14 Define the Scope of the ISMS Scope & Boundaries of the ISMS3 Now we are ready to consider all the context of the organization factors we’ve listed to help us determine a proper scope.
  15. 15. © iCertWorks 2015 15 Define the Scope Now we are ready to consider all the context of the organization factors we’ve listed to help us determine a proper scope. • The scope definition is the most important step in the whole process. • The scope will have a huge impact on the rest of the implementation project, including costs and effort. • The scope should: • meet business requirements • add value to products and/or services. • Make sure you choose carefully! The SCOPE is always a business decision!!! Scope & Boundaries of the ISMS3
  16. 16. © iCertWorks 2015 16 Some Good Questions to ask: • In what products / services do our clients expect us to protect their information? • What name do we call these products / services in our contracts? • What products / services would our clients litigate if we were to have a breach of confidentiality, Integrity and/or availability (CIA)? • What products / services are subject to constant information security questionaires? • The answer to these questions is often a good indicator of what our scope should include at a minimum. Scope & Boundaries of the ISMS3
  17. 17. © iCertWorks 2015 17 Connecting product / service legal liability to the scope. There is a direct connection between product and service legal liability and why our organizations buy product liability and professional liability (errors and omissions) insurance. Thus, a ISMS Scope that centers around protecting information in our products and services can provide value in two ways. 1. “Reasonable Assurance” through ISO 27001 Certification that we have a ISMS in place to help protect our clients information giving value to our products and services. 2. “Defensibility” on the back end should there be a breach of CIA and our clients litigate against us so we can “defend ourselves” and our actions to protect their information. Scope & Boundaries of the ISMS3
  18. 18. © iCertWorks 2015 18 ISMS Scope Diagram Scope & Boundaries of the ISMS3 Scope Products / Services HR Software Development Legal IT Quality Audit Others Your Clients! Facilities Other Service Providers External Software Contractors Internal Service Providers Vendors External Service Providers Utilities AWS Cloud
  19. 19. © iCertWorks 2015 19 Scope & Boundaries of the ISMS3 Sales&Markeing(CRM) Products/Services HelpDesk Accounting Human Resources Software Development IT Physical Security Out-of-ScopeIn-Scope ServiceProviders External Service Providers InternalExternal © SecuraStar, Inc. 2012 REPRODUCTION PROHIBITED ISMS Scope of Registration The scope of the <organizations> information security management system (ISMS) includes the <business process of collecting, storing, accessing and distributing information in the Primary Products and/or Services (and storage facilities?)> including all underlying assets, located in its offices in <cities, states, countries>. The scope does not include any other business processes, assets or locations. Operational Level Agreement (OLA) Primary Product / Services Supporting Services Business Processes that collect, store, access and distribute information Service Level Agreement (SLA)
  20. 20. © iCertWorks 2015 20 Scope & Boundaries of the ISMS3 It is recommended to describe and/or even create a diagram of the various business processes found within the scope to help interested parties understand the “information life cycle” in each and what assets are at risk. Example: Business Process Description The process of collecting, storing and distributing public property ownership record information to real estate title insurance companies. Collection The collection includes the query of public records related to the subject property and/or persons. Storage The storage includes a specially designed commercial software product to conduct its work; the software and related matters reside in a secured cloud server administered by a competent third party. Distribution The distribution includes the transfer of real estate information to title insurance companies.
  21. 21. © iCertWorks 2015 21 Additional Steps: 1) Add all legal / regulatory and contractual requirements within the scope (only) to the Asset Inventory …..and assess the risk of non- compliance in the risk assessment phase. 2) Map all legal, regulatory and contractual requirements to Annex A Control Objectives and Controls in the Statement of Applicability (SoA). *For ISO 27001 Certification, you MUST show you can monitor and measure all legal/regulatory and contractual requirements within the scope! Legal, Regulatory & Contractual Requirements4
  22. 22. © iCertWorks 2015 22 Start Building the Framework 10 - IMPROVEMENT 6 - PLANNING 8 - OPERATION 9 – PERFORMANCE EVALUATION MONITOR & MEASURE BUSINESS CONTINUITY PLAN AUDIT PROGRAM RISK MANAGEMENT ASSET INVENTORY RISK ASSESSMENT BUSINESS CONTINUITY PLAN SERVICE AGREEMENTS (OLA / SLA) POLICIES PROCESSES PROCEDURES TRAINING & AWARENESS OBJECTIVES PREVIOUS AUDITS & REVIEWS SERVICE AGREEMENTS (OLA / SLA) MANAGEMENT REVIEW RISK ASSESSMENT APPROACH POLICIES PROCESSES PROCEDURES CORRECTIVE ACTION PROCEDURE CORRECTIVE ACTION RECORD SEECONTROLDIAGRAM RISK TREATMENT OPTIONS 5 - LEADERSHIP & COMMITMENT INFORMATION SECURITY POLICY & OBJECTIVES ROLES, RESPONSIBILITIES & AUTHORITIES © SecuraStar, Inc. 2012 REPRODUCTION PROHIBITED 4 - CONTEXT OF THE ORGANIZATION SCOPE & BOUNDARIES LEGAL REGULATORY CONTRACTUAL RISK TREATMENT PLAN INTERNAL AUDITS EXTERNAL AUDITS LEGAL REGULATORY CONTRACTUAL ISMS METRICS STATEMENT OF APPLICABILITY 7 - SUPPORT RESOURCES COMPETENCE TRAINING & AWARENESS COMMUNICATION CONTROL OF DOCUMENTS CONTROL OF RECORDS ISO 27001 (2013) FRAMEWORK™
  23. 23. © iCertWorks 2015 ISO 27001 Training Courses  ISO/IEC 27001 Introduction 1 Day Course  ISO/IEC 27001 Foundation 2 Days Course  ISO/IEC 27001 Lead Implementer 5 Days Course  ISO/IEC 27001 Lead Auditor 5 Days Course Exam and certification fees are included in the training price. https://www.pecb.com/iso-iec-27001-training-courses| www.pecb.com/events
  24. 24. © iCertWorks 2015 THANK YOU ? Contact Information Questions? 855-476-2701 info@SecuraStar.com www.SecuraStar.com linkedin.com/in/andersdave

×