The webinar covers:
1- Build a business case to implement ISO27001
- Who are stakeholders?
- Who is project executive sponsor?
- Incentives to implement? Is BOD in support? Industry /market pressures?
- History (previous attempts/audits/issues/implications if failed)
- Consultant selection
- Cost and budgetary constraints.
- Resources constraints
2- Costs of not implementing ISO 27001
3- Wrap-up
Presenter:
The webinar was presented from PECB Partner and Trainer Mr. Mohamad Khachab who has 30 years of professional experience in management consultancy, project management, teaching/training, IT Procurement, preparing proposals, information risk management, research, developing bidding documents, and business development activities.
Link of the recorded session published on YouTube: https://youtu.be/6kBp3SxKDP8
ICT role in 21st century education and it's challenges.
Top management role to implement ISO 27001
1. Top Management Role in Implementing
ISO/IEC 27001
Mohamad Khachab, MBA, PECB Certified Trainer,
ISO 27001 LI, ISO 27005 RM
January 27, 2016
1
2. Mohamad Khachab
Lecturer, Management
Consultant
Mr. Mohamad Khachab has 30 years of professional experience in management consultancy,
project management, teaching/training, IT Procurement, preparing proposals, information risk
management, research, developing bidding documents, and business development activities.
703-962-0793
khachabmy@ics4business.com www.ics4business.com
linkedin.com/in/mohamadkhachab
3. Top Management Role in Implementing
ISO/IEC 27001
Agenda
• Introduction
• ISO 27001 Standard
• Structure & Controls
• Costs
• PDCA Mode
• Data Qualities
• Management Planning
• Decision Making factors
• Implementation Project Phases
3PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
4. Introduction
• All about “Tone at the Top”
• Strategic & healthy atmosphere
• TQM is a long term strategy
• Enterprise-wide awareness
• Senior management involvement
• Education/training (facts only, statistical
methods, no myth)
• Decision making techniques
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 4
5. ISO 27001
• ISO 27001 requires a company to
establish, implement, and maintain a
continuous improvement approach
to manage its ISMS.
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 5
6. ISO 27001 Standard
1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment;
risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action
Annex A: List of controls and their objectives.
PECB Webinar, Khachab, Management
Role in Implementing ISO 27001, Jan. 27,
2016
6
7. ISO 27001 Standard
ISO 27001:2013 details 114 controls or security measures organized into 14 groups:
• Information security policies (2 controls)
• Organization of information security (7 controls)
• Human resource security - 6 controls that are applied before, during, or after
employment
• Asset management (10 controls)
• Access control (14 controls)
• Cryptography (2 controls)
• Physical and environmental security (15 controls)
• Operations security (14 controls)
• Communications security (7 controls)
• System acquisition, development and maintenance (13 controls)
• Supplier relationships (5 controls)
• Information security incident management (7 controls)
• Information security aspects of business continuity management (4 controls)
• Compliance; with internal requirements, such as policies, and with external
requirements, such as laws (8 controls)
7PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
8. Costs
Are driven by risk perception and how much risk
the organization is prepared to accept. Four
costs to consider by management:
1- Internal resources
2- External resources
3- Certification
4- Implementation
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 8
10. Process Objectives
Easy understanding and implementation
Desired results:
- Time and cost savings in mind.
- Management Review of processes.
10PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
11. Data Qualities
• Confidentiality – Ensure information is accessible
only to those authorized to have access
• Integrity – Safeguard the accuracy and completeness
of information and processing methods.
• Availability – Ensure that authorized users have
access to information and assets when required.
11PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
12. What is your organization Like?
• I want you to think in terms of:
– Culture
– Management practice
– Formal processes
– Maturity of TQM processes
– Strategies and business planning
– Internal Audit function
– IT Department and customer satisfaction
• Senior managers decisions making rational?
12PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
13. Do you have a TQM Strategy?
TQM strategies vary from one organization to
another, but there must be a set of primary
elements present:
• Top management has identified TQM as one
of the organizations’ long term and
competitive strategies and is committed to it.
13
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
14. Management Planning
Vital to the success of implementation are two
critical functions:
1.Effective input and early involvement of The
Internal Audit Dept contribute to:
effective development of implementation
strategy, and management review
(contribution) during certification stages.
14
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
15. Management Planning (Cont.)
2. IT Department will have to dedicate resources
and time to the ISO 27001 implementation
project.
Many Constraints and questions:
- Are there other IT compliance initiatives?
- Procedures & policies (in-works)?
- How mature are the existing IT processes and
controls?
- Are they aligned with the ISO 27001
Requirements?
15PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
16. Enterprise Wide Project
Other business departments play an
important role in the ISMS
implementation.
16PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
17. Decision Making Factors
A number of factors influence when and how to
implement a standard:
– Business Objectives and priorities
– Existing IT maturity levels
– User acceptability and awareness
– Internal audit capability
– Contractual obligations
– Customer requirements
– Ability to adapt to change
– Adherence to internal processes
– Existing compliance efforts and legal requirements
– Existing training programs
17PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
19. Advise
- Address risks and opportunities rather than
preventive action.
- Stress on maintaining documented
information rather than the information
record.
- Set objectives.
- Monitor performance and develop metrics.
PECB Webinar, Khachab, Management
Role in Implementing ISO 27001, Jan. 27,
2016
19
20. ISO 27001 Suggested Steps
• Define an ISMS Policy.
• Define the scope of the ISMS.
• Perform a security risk assessment.
• Manage the identified risk.
• Select controls to be implemented and
applied.
• Prepare an SOA.
20PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
21. Identify Business Objectives
• You should know your interested parties
(stakeholders).
• Identify and prioritize objectives to gain
management support.
• Objectives are identified from business
documents as: Mission, Strategic Plan and IT
Business Plan.
21PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
22. Identify Business Objectives
• Increase marketing reach.
• Assurance to business partners and customers.
• Increased revenue and profitability
• Assets identification
• Effective risk assessment
• Preserve organization’s reputation
• Compliance with government and industry
regulators
22PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
23. Obtain Management Support
Includes initiatives as:
• Information security policy exist.
• Information security objectives and plans.
• Roles & Responsibilities Information security matrix exist.
• Communicating the importance of adherence to information
security policies to the whole organization.
• Sufficient resources identified (manage, develop, maintain,
and implement the ISMS).
• Determination of the acceptable risk level.
• Periodic management reviews of the ISMS.
• Assurance of proper training to affected personnel by the
ISMS.
• Appointment of competent personnel accordingly in their
assigned roles & duties.
23PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
24. Implementation Scope
Standard requires listing scope exclusions and reasons.
When setting scope, consider:
- The selected scope helps achieve the identified business
objectives.
- Organization’s overall scale of operations to determine
the process’ complexity level.
- # of employees, business processes, # locations, products,
and services offered.
- What areas, locations, assets or technologies will be
controlled by the ISMS.
- Does the ISMS apply to suppliers?
- Are there dependencies on other organizations?
- Any regulatory or legislative standard applicable ?
24PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
25. Define a Risk Assessment Method
Risk assessment method must be defined and
documented. Things to consider:
• Which method used to assess the risk?
• Which risks are intolerable? and must be
mitigated.
• Manage the residual risk!
25PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
26. Prepare Inventory of Information Assets
Management has to prioritize assets (to be protected) according
to risk classification plus record owners, location, criticality
and replacement value of assets.
Three impact levels: high, medium, and low.
Identify risks and classify them according to severity and
vulnerability.
Based on risk values, determine whether risk is tolerable? Do we
need to implement a control to eliminate or reduce the risk.
26PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
27. Create a Risk Treatment Plan
• Organizations must either accept, avoid, transfer or
reduce the risk to an acceptable level.
• Identification of operational controls and additional
proposed controls.
• It is very important to obtain management approval of
the proposed residual risks.
• Develop a schedule of proposed control
implementation.
27PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
28. Allocate Resources & Train your Staff
The ISMS process highlights one of the most
important commitments for management:
Resources to manage, develop, maintain, and
implement the ISMS.
- Auditors ask to see documentation of training.
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 28
29. Monitor the Implementation of ISMS
• Internal audit review consists of testing of
controls and identifying corrective/preventive
actions.
• ISMS needs to be reviewed by management at
periodic planned intervals.
• Project Management Review: Follows
changes/improvement to policies, procedures,
controls and staffing decisions.
• Document and maintain all results.
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 29
30. Prepare for the Certification Audit
To be certified:
• Organization must conduct a full cycle of
internal audits,
• Management reviews and activities in the
PDCA process,
• Retains evidence of reviews and audits, and
• Management should review risk assessments,
risk treatment plans, SOA, and policies &
procedures annually.
PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016 30
31. Conduct Periodic Assessment Audits
• ISO 27001 follows the PDCA cycle and assists
management in knowing enterprise progression
along the cycle.
• Follow-up reviews or periodic audits confirm that the
organization remains in compliance with standard.
• Certification maintenance requires periodic
reassessment audits to confirm that the ISMS
continues to operate as specified.
31PECB Webinar, Khachab, Management Role in Implementing ISO 27001, Jan. 27, 2016
32. Top Management Role in Implementing ISO/IEC 27001
References
• http://www.isaca.org/Journal/archives/2011/Volume-4/Documents/jpdf11v4-
Planning-for-and.pdf
• wwwo.aston-global.com/ISO900_14_setps_to_Implementation.pdf
• The Certified Manager of Quality/Organizational Excellence Handbook, Pages 293-
294
32
PECB Webinar, Khachab, Management
Role in Implementing ISO 27001, Jan. 27,
2016
1- ISMS covers a wide range of business management functions, HR, IT, facilities & security. Resources from these departments are required during the implementation.
2- Experienced consultants. Will help during internal audits and ensure smooth transition toward certification.
3- Certification: fees paid to certification agencies to assess organization against ISO 27001 std.
4- Implementation: These costs depend largely on the health of IT within the organization. Implementation costs are positively correlated with the risk assessment gap or audit. Implementing a QMS can take anywhere from 4 to one year depending on management support, size and nature of organization, IT maturity, and quality/amount of existing documentation and change management.
Each organization is unique in terms of the culture, management practices, and the processes used to create and deliver its products and services.
Although the implementation of policies and procedures is largely perceived as an IT activity, other departments play an important role.
Many examples: Facilities Management responsible for physical security and access control.
PDCA Model is consistent with auditable Int’l standards.
Management must lead these tasks.
Assurance to business partners and customers about organization commitment to Information security, privacy and data protection.
Increased revenue and profitability by providing the highest level of security of sensitive data.
Management must make a commitment to planning, implementation, operation, monitoring, review, maintenance and improvement of the ISMS.
This ensures that management commits the number and type of resources needed to work on The ISMS. Also that resources have had the proper training, awareness, and competency.
Implementation scope may cover all or part of an organization.
Regulators or government standards come from the relevant industry, state/local or federal government, or from international regulators.
The scope shall be kept manageable, otherwise can get out of hand.
A careful consideration to policies, procedures, and controls.
Choosing which risk assessment method is a critical phase in establishing the ISMS.
A risk assessment methodology does provide guidance on establishing risk levels for assets.
Once the assessment is completed, assets with intolerable risks are identified, along with the control to mitigate that risk.
It is all about how you manage residual risks.
External auditor will examine the ISMS documents to determine the scope and contents of the ISMS.
The objective of the review and audit is to have sufficient evidence and review/audit documents sent to an auditor for review.
The evidence and document will demonstrate the efficiency and effectiveness of the implemented ISMS in the organization and its business units.