SlideShare ist ein Scribd-Unternehmen logo

A to Z of Information Security Management

Mark Conway
Mark Conway

The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software. Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.

Business
1 von 29
Downloaden Sie, um offline zu lesen
A to Z of Information Security © Mark Conway - Oak Consult 2014
Introduction The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software. Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
Accredited Certification Like other ISO management system standards, certification to ISO27001 is not obligatory. Some organisations choose to implement the standard in order to benefit from the best practice it contains, while others decide they also want to get certified to reassure customers and stakeholders that its recommendations have been followed. Customers are increasingly asking for certification of their suppliers and for that reason many suppliers are also demanding certification of their supply chain. ISO27001 Certification is a shrewd investment for any organisation, acting as an immediate, universally recognised indicator of an independently audited, best practice approach to information security, risk management & the protection of client data. Achieving ISO27001 Certification does require an investment of time, effort & budget from an organisation, but there are significant regulatory, commercial, operational & reputational benefits that will repay the initial investment several times over.
Best Practice ISO27002 is a code of practice - a generic, advisory document, not a formal specification like ISO27001. It recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity and availability of information. Organisations that adopt ISO27002 must assess their own information security risks, clarify their control objectives and apply suitable controls (or indeed other forms of risk treatment) using the standard for guidance. Just as ISO 27002 provides a set of guidelines for best practice in implementing an Information Security Management System (ISMS), ISO 27005 provides best practice guidelines for risk management. As part of constructing a suitable and secure information security management system, you must assess the risks to your information and be prepared to mitigate these risks. The standard is structured logically around groups of related security controls. See F
Controls An administrative, procedural, technical, physical or legal means of preventing or managing the impact upon an asset of an information security event or incident. The following types of control exist: – Preventative - prevents impact upon an asset. – Detective - detects impact upon an asset. – Reactive - reacts to impact on an asset, includes: Corrective - actively reduces impact. Recovery - restores an asset after impact. Controls may reduce information security threats or impacts, although most reduce vulnerabilities.
Data Protection Within the 1998 Data Protection Act, it identifies the security obligation for controllers of personal data. In summary, controllers of personal data are required to: – Implement appropriate technology that will keep data safe and secure, taking into account the state of technological development, the cost of the technology, the nature of the data that is being protected and the harm that might result from a security breach. – Hire reliable staff and take steps throughout their employment to ensure their reliability. This will extend to pre-employment vetting and ongoing monitoring where appropriate. – Use data processors who provide sufficient guarantees about security, who agree to work only pursuant to a contract and who agree to process data only on the controller's instruction. The controller must take appropriate steps to ensure the reliability of the processor. Collectively these provisions address all the major themes within a comprehensive information security management system, and they dovetail nicely with the headline requirements of ISO27001.
Employee Engagement Many employees do not understand what information security is all about. You need to explain to your colleagues why information security is needed, the implications of not putting controls in place and how to perform certain tasks. In addition to training, awareness must give an answer to the question Why? - explain to your employees why they should accept information security as a normal working practice. There are many methods you can use, for example: – Include employees in documentation development – Presentations - organise short meetings, conference calls or webinars where you can explain what new policies and procedures are being published and ask your employees for opinions about them, as well as clarify any misunderstandings. – Articles on your intranet or internal newsletters - simple stories (with as many examples as possible) – E-learning - you can create short online training modules that explain the significance of these topics, as well as train your employees in spotting key areas of risk and how they can help mitigate them. – Videos - they are a very powerful presentation method - you can distribute them via email, through the intranet or use them at team / company events. – Team Meetings - use regular meetings that are organised in your organisation to briefly present what you are doing and how it affects your colleagues. – Day-to-day conversations - you have to sell the idea of information security / business continuity. – You should prepare a plan defining which of these methods you will perform, and how often as well as regular measurement as to how effective they are.
Fourteen Security Controls Categories Control Categories IS Policies Organisation Human Resources Asset Management Access Control Cryptography Physical & Environmental Operations Communications System Acquisition, Development / Maintenance Supplier Relationships Incident Management Business Continuity Compliance
Governance Information security governance is the system by which an organisation directs and controls Information security. It also describes the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. In simplest terms, it is a subset of the discipline of corporate governance, focused, unsurprisingly on information security. As discussed later senior management’s fundamental commitment to information security is the most important aspect of effectively managing the security risk to an organisation’s information assets also referred to as leadership duty of care or due care. To be successful information security governance activities must be driven by the board of directors, senior management and designated key personnel. These activities should be undertaken in a manner consistent with an organisation’s risk management and strategic plans, compliance requirements, organisational structure, culture and management policies. A key aspect of security governance is the need to define decision rights and accountability. Achieving this both in theory and practice requires the right culture, policy frameworks, internal controls and defined practices.
Human Resources HR is key to an organisation’s information security health, which is why ISO27001/2 has a section dedicated to all matters HR. It not only outlines possible information security controls, but also includes vital implementation guidance in each of its sections related to the employment lifecycle, providing advice in relation to pre-employment, employment and post-employment activities. 1. Pre-employment phase Covers areas such as screening or vetting and contracts/terms and conditions. 2. Employment stage During employment, all staff members have a duty of care towards their organisation’s information assets. The IT department is usually expected to take care of security but, in fact, it takes care of IT security. The scope of an organisation’s information assets are much broader and are subject to a great many higher risks than IT can reasonably be expected to cover. It is generally accepted that around 80% of organisational data breaches are caused by people rather than technical failure. This may be the result of staff using USBs to carry data that perhaps they shouldn’t be. 3. Post-employment period The post-employment period is a very risky one in terms of organisations’ information security. They can end up being the target of malice, theft or reputational damage. ISO27002 offers clear guidance on suitable policies and procedures for the termination process, which includes advice on how staff should return assets and on how best to remove their access rights. It also offers clear guidelines on how to implement such policies.
Integrity, Availability and Confidentiality At the heart of an Information Security Management System is the preservation of confidentiality, integrity and availability of information Other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved Integrity Availability Confidentiality
Justification for ISO27001 With information and data now the lifeblood of many organisations, putting measures in place to protect such information from threats, breaches of security and theft is often essential for ensuring the longevity and reputation of your business. – Safeguarding your organisation’s information which will lead to reduced incidents, disruptions and accidents – Provides customers and stakeholders with confidence in how you manage risk – Allows for secure exchange of information and keeps confidential information secure – Reduces customer audit impacts – Allows you to ensure you are meeting your legal obligations – Helps you to comply with other regulations – Potentially provides you with a competitive advantage – Consistency in the delivery of your service or product – Manages and minimises risk exposure and builds a culture of security within the organisation – Develops opportunities for positive PR for your organisation – Reduces possible negative media stories which are generated from data and information breaches – Protects the company, assets, shareholders and directors
Knowledge and Training Adequate resources (people, time, money) should be allocated to the operation of the Information Security Management System (ISMS) and all security controls. In addition, the staff who must work within the ISMS (maintaining it and its documentation and implementing its controls) must receive appropriate training. The success of the training program should be monitored to ensure that it is effective. You should also establish a plan for how you will determine the effectiveness of the training. What you will need: – A list of the employees who will work within the ISMS – All of the ISMS procedures used for identifying what type of training is needed and which members of the staff or interested parties will require training – Management agreement to the resource allocation and the training plans Specific documentation is not required in the ISO standards. However, to provide evidence that resource planning and training has taken place, you should have documentation that shows who has received training and what training they have received. In addition, you might want to include a section for each employee that lists what training they should be given.
Leadership and Management Buy-in The leadership and management team of an organisation plays an important role in the success of an Information Security Management System. The Management responsibility section of ISO27001 states: Management must make a commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS. Commitment must include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS have the proper training, awareness, and competency. Establishment of the following demonstrates management commitment: – An information security policy; this policy can be a standalone document or part of an overall security manual that is used by an organisation – Information security objectives and plans; again this information can be a standalone document or part of an overall security manual that is used by an organisation – Roles and responsibilities for information security; a list of the roles related to information security should be documented either in the organisation’s job description documents or as part of the security manual or ISMS description documents. – Announcement or communication to the organisation about the importance of adhering to the information security policy. – Sufficient resources to manage, develop, maintain, and implement the ISMS.
Measurement and Monitoring To ensure that the ISMS is effective and remains current and fit for purpose ISO27001 requires: – Management to review the ISMS at planned intervals. The review must include assessing opportunities for improvement, and the need for changes to the ISMS, including the security policy and security objectives, with specific attention to previous corrective or preventative actions and their effectiveness. – Periodic internal audits - The results of the reviews and audits must be documented and records related to the reviews and audits must be maintained. To perform management reviews, ISO27001 requires the following input: – Results of ISMS internal and external audits and reviews – Feedback from interested parties – Techniques, products, or procedures which could be used in the organisation to improve the effectiveness of the ISMS – Preventative and corrective actions (including those that might have been identified in previous reviews or audits) – Incident reports, for example, if there has been a security failure, a report that identifies what the failure was, when it occurred, and how it was handled and possibly corrected. – Vulnerabilities or threats not adequately addressed in the previous risk assessment – Follow-up actions from previous reviews – Any organisational changes that could affect the ISMS – Recommendations for improvement To perform internal audits on a periodic basis, you need to define the scope, criteria, frequency, and methods. You also need the procedure that identifies the responsibilities and requirements for planning and conducting the audits, and for reporting results and maintaining records. The results of a management review should include decisions and actions related to: – Improvements to the ISMS – Modification of procedures that effect information security at all levels within the organisation – Resource needs The results of an internal audit should result in identification of nonconformities and their related corrective actions or preventative actions. ISO27001 lists the activity and record requirements related to corrective and preventative actions.
Not just a tick in a box If implemented properly and with management buy-in to the process the value that ISO27001 can bring to your organisation can be significant. 87% of respondents to recent BSI Erasmus survey stated that implementing ISO 27001 had a "positive" or "very positive" outcome with 39% reported decreased down-time of IT Systems and the same number a decrease in the number of security incidents Of those that were certified to the standard: – 78% reported increased ability to meet compliance requirements – 56% an increased ability to respond to tenders – 51% an increased external customer satisfaction – 62% increased relative competitive position – ROI / sales increased despite rise in cost to develop and support IT
Organisation Objectives An organisation’s ISMS is influenced by the needs and objectives, security requirements, the organisational processes used and the size and structure of the organisation. It is essential that any security arrangements that are to be implemented relate to (or support) overall organisation objectives and strategy. They must be productive and reflect stakeholder requirements. Understanding this relationship enables you to adopt strategies and make recommendations that will promote the business and for information security to enjoy the support of top management.
Policy, Process and Procedures An Information Security Policy is the cornerstone of an Information Security Management System. It should reflect the organisation's objectives and the agreed upon management strategy for securing key assets. In order to be useful in providing authority to execute the remainder of the Information Security Management System, it must also be formally agreed upon by executive management. The essence of a good information security policy: – Keep it as short as possible – Keep it relevant to the audience – Keep it aligned to the needs of the business – Keep it aligned to the legislation and regulatory frameworks in which you operate – Do not marginalise it by aiming to "tick the box", as the policy needs to add value to the employee and the overall outcomes and behaviours you are looking to promote – Share it with all of your key stakeholders internally and externally The policy document is exactly that - a high-level statement of the organisation’s position on the chosen topic (the "why"), not to be confused with the procedural documentation which deals with "how" the policy is to be enacted. Procedures are sometimes necessarily much longer documents if they are describing complex processes which must be followed. Ideally, the policy should be brief and to the point about the user’s responsibilities towards the information they collect, use, access or otherwise process, and to sign-post them to the other relevant policies and procedures for the areas in which they operate.
Quality Management System Approach If you already have a Quality Management System / ISO9001 certification some of the elements you have implemented for your organisation can be used for your ISMS as well, namely: – Setting the organisation goals and tracking whether they have been achieved - the same mechanism is laid down in both standards. – Management review - the principles for management review are the same for both management systems. – Document management - the procedures used for document management can be used for the same purpose in ISMS with minor adjustments. – Internal audit - the same procedures can be used for both QMS and ISMS, although you might use different people. – Corrective and preventive actions - the procedures used for QMS can be used for the same purpose in ISMS. – Human resources management - the same cycle of HR planning, training and evaluation is used for both management systems. Therefore, if you have already implemented ISO 9001, you will have an easier job implementing ISO27001 - you could save up to 30% of time. Further, you will have cheaper certification audits since certification bodies are offering the so called "integrated audits", which means they will do both ISO 9001 and ISO 27001 in the same audit, charging you a smaller fee compared to separated audits.
Risk Assessment and Treatment In order to comply with ISO27001 an organisation must define a risk assessment methodology for Information Security risks. They must identify criteria for accepting risks and identify the acceptable levels of risk and develop a Risk Treatment Plan Risk Assessment Identify all assets of the organisation relating to information security and compile an Asset Register. Identify combinations of threats and vulnerabilities relating to the asset, and then identify the impacts that losses of confidentiality, integrity and availability may have on the asset using an Asset Risk Assessment Report. The impacts take into account the business, legal or contractual obligations that the company has. The assessment then looks at the likelihood of the security failure occurring by a combination of the frequency and the likelihood of the threat A combination of the impact and likelihood of the security failure provides a level of the risk normally in three categories: – Low Risk: No immediate action required although there may be improvements in processes/technology that reduce the impact of the security failure. – Medium Risk: Must be included in the management review of the IMS with actions identified if required and inclusion in the Risk Treatment Plan. – High Risk: Must be included in the Risk Treatment Plan for positive actions to reduce the risk. Risk Treatment Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks. = ISO 31000:2009
Standards The ISO27000 family of Standards is broad in scope. As technology evolves, new standards are continually being developed to meet the requirements of information security. ISO 27001 is a specification. It sets out specific requirements, all of which must be followed, and against which an organisation's Information Security Management System (ISMS) can be audited and certified. All the other Standards in the ISO27000 family are Codes of Practice. They provide non-mandatory best practice guidelines which organisations may follow, in whole or in part. A key feature of the standards is that they are applicable to any organisation, in any sector, of any size. Key concepts which govern the standards are: – Organisations are encouraged to assess their own information security risks – Organisations should implement appropriate information security controls according to their needs – Guidance should be taken from the relevant standards – Implement continuous feedback and use of the Plan, Do, Check, Act model – Continually assess changes in threat and risk to information security issues.
Testing Effective Penetration Testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools, and conducted by a certificated, ethical professional tester. The resulting findings provide a basis upon which security measures can be improved. There are specific points in your Information Security Management System (ISMS) project where penetration testing has a significant contribution to make: – As part of the risk assessment process: uncovering vulnerabilities in any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats. – As part of the Risk Treatment Plan, ensuring that controls that are implemented actually work as designed. – As part of the ongoing corrective action/preventive action and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.
Understanding internal and external context A key element of ISO27001 is the organisation’s context both internal and external with regard to information security. A deep understanding should be gained at the outset of an ISO27001 implementation and also reviewed at least annually or when any major changes occur e.g. changes to regulations. External context Any of the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local. (ISO27000) Key drivers and trends having an impact on the objectives of the organisation Relationships with, and perceptions and values of external stakeholders Internal context Organisation’s culture Governance, organisational structure, roles and responsibilities Policies and objectives and the strategies in place to achieve them Capital in terms of resources and knowledge (e.g. money, time, processes, systems, people and technology) Informal and formal information systems, information flows and decision making processes Adopted standards, guidelines, frameworks and models already in place Relationships with internal stakeholders
Vulnerabilities A non- exhaustive list of the kind of vulnerabilities you should think about as part of your risk assessments and risk treatments:
Who should be in the ISMS Project Team? Your ISMS Project Team should be drawn from senior managers from those parts of your organisation most likely to be impacted by the management system and should also include some functional areas such as IT, facilities, procurement and HR, but absolutely should not be owned or driven by IT. Ideally you would also have an experienced project manager and a board level sponsor that is actively engaged and who chairs project boards.
XSS (Cross-Site Scripting) and other Cyber Attacks According to the recently published Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and conducted by PWC, Cyber attacks have continued to grow in frequency and intensity over the last year and the focus seems to have shifted back towards large organisations. The proportion of large organisations that were successfully hacked continues to rise - up to nearly a quarter of respondents this year. One in four large organisations reported penetration of their networks, up by 4% from a year ago. More worryingly, most of the affected companies were penetrated not just once but once every few weeks during the year - nearly a tenth of those affected are being successfully penetrated every day. Small businesses experienced fewer outsider attacks with 12 % of them being penetrated (down from 15% last year). Different industries experience different levels of network penetration attacks. Telecommunication companies were the most affected; nearly a quarter of them reported penetration. Roughly one in six utility companies and banks were also affected. The UK Government have provided some useful guidance for organisations to follow - Cyber security guidance for business
Yielding Better Results Investing time and resource upfront with Senior Management, Key Stakeholders and carrying out robust risk assessments within the right contexts will pay dividends on a number of levels. Implementing ISO 27001 requires careful thought, planning, and coordination to ensure a smooth control adoption. The decision of when and how to implement the standard may be influenced by a number of factors, including different business objectives, existing levels of IT maturity and compliance efforts, user acceptability and awareness, customer requirements or contractual obligations, and the ability of the organisation to adapt to change and adhere to internal processes. The more prepared you and your people are to comprehend the need for implementation, accept that some processes will require change and have the commitment to make it happen, the better the results for your organisation.
Zipping through ISO27001 I hope that this A to Z of Information Security hasn’t put you off! As you will have seen, there are significant benefits both from a business protection basis and that of bringing on new business. For smaller businesses, based in one building with less than 20 employees, the implementation process doesn’t need to be too arduous and can be completed within a few short months and doesn’t need to cost a fortune. It is a requirement of UKAS accreditation that the certification body does not provide consultancy services which it then itself certifies. Oak Consult can work with you to implement an Information Security Management System that will be fit for accredited certification. As part of our service, we will help you select a certification body whose fees will be appropriate and who can respond appropriately to your need for certification.
A to Z of Information Security Management

Empfohlen

ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxMukesh Pant
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 

Empfohlen

ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxMukesh Pant
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopLife Cycle Engineering
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Data protection janine paterson - direct marketing association
Data protection janine paterson - direct marketing associationData protection janine paterson - direct marketing association
Data protection janine paterson - direct marketing associationiof_events
 
Information Security
Information SecurityInformation Security
Information SecurityDr. Himanshu Gupta
 

Weitere ähnliche Inhalte

Was ist angesagt?

Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopLife Cycle Engineering
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 

Was ist angesagt? (20)

ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 

Andere mochten auch

Data protection janine paterson - direct marketing association
Data protection janine paterson - direct marketing associationData protection janine paterson - direct marketing association
Data protection janine paterson - direct marketing associationiof_events
 
Legal Compliance for doing business in United Kingdom and Europe
Legal Compliance for doing business in United Kingdom and EuropeLegal Compliance for doing business in United Kingdom and Europe
Legal Compliance for doing business in United Kingdom and EuropeCA CISA Jayjit Biswas
 
Smau Milano 2014 - Stefano Fratepietro
Smau Milano 2014 - Stefano FratepietroSmau Milano 2014 - Stefano Fratepietro
Smau Milano 2014 - Stefano FratepietroSMAU
 
Italgo Information Security Governance
Italgo Information Security GovernanceItalgo Information Security Governance
Italgo Information Security GovernanceGianandrea Daverio
 
General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary Compliance3
 
sergio fumagalli il gdpr e le pmi, i codici di condotta -convegno 17 01 17
sergio fumagalli il gdpr e le pmi, i codici di condotta -convegno 17 01 17sergio fumagalli il gdpr e le pmi, i codici di condotta -convegno 17 01 17
sergio fumagalli il gdpr e le pmi, i codici di condotta -convegno 17 01 17Paolo Calvi
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk MgmtAlfred Ouyang
 
GDPR Tutorial - 2 Considerazioni generali - seconda parte
GDPR Tutorial - 2 Considerazioni generali - seconda parteGDPR Tutorial - 2 Considerazioni generali - seconda parte
GDPR Tutorial - 2 Considerazioni generali - seconda parteMassimo Carnevali
 
GDPR Tutorial - 1 Considerazioni generali - prima parte
GDPR Tutorial - 1 Considerazioni generali - prima parteGDPR Tutorial - 1 Considerazioni generali - prima parte
GDPR Tutorial - 1 Considerazioni generali - prima parteMassimo Carnevali
 
GDPR Tutorial - 3 Titolari, responsabili e soggetti
GDPR Tutorial - 3 Titolari, responsabili e soggettiGDPR Tutorial - 3 Titolari, responsabili e soggetti
GDPR Tutorial - 3 Titolari, responsabili e soggettiMassimo Carnevali
 
Privacy e protezione del dato. Gli adempimenti del nuovo Regolamento UE 679/2...
Privacy e protezione del dato. Gli adempimenti del nuovo Regolamento UE 679/2...Privacy e protezione del dato. Gli adempimenti del nuovo Regolamento UE 679/2...
Privacy e protezione del dato. Gli adempimenti del nuovo Regolamento UE 679/2...Digital Law Communication
 
Highlights of the Singapore Personal Data Protection Act 2012
Highlights of the Singapore Personal Data Protection Act 2012Highlights of the Singapore Personal Data Protection Act 2012
Highlights of the Singapore Personal Data Protection Act 2012Fuji Xerox Singapore
 
La sicurezza nel regolamento 679/2016 (GDPR)
La sicurezza nel regolamento 679/2016 (GDPR)La sicurezza nel regolamento 679/2016 (GDPR)
La sicurezza nel regolamento 679/2016 (GDPR)EuroPrivacy
 
La Cyber Security spiegata al capo.
La Cyber Security spiegata al capo.La Cyber Security spiegata al capo.
La Cyber Security spiegata al capo.Carlo Balbo
 
Oss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyOss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyAlessandro Piva
 
Come cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoCome cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoGiulio Coraggio
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 

Andere mochten auch (20)

Data protection janine paterson - direct marketing association
Data protection janine paterson - direct marketing associationData protection janine paterson - direct marketing association
Data protection janine paterson - direct marketing association
 
Information Security
Information SecurityInformation Security
Information Security
 
Health data - Is it safe?
Health data - Is it safe?Health data - Is it safe?
Health data - Is it safe?
 
La Nuova Security
La Nuova SecurityLa Nuova Security
La Nuova Security
 
Legal Compliance for doing business in United Kingdom and Europe
Legal Compliance for doing business in United Kingdom and EuropeLegal Compliance for doing business in United Kingdom and Europe
Legal Compliance for doing business in United Kingdom and Europe
 
Smau Milano 2014 - Stefano Fratepietro
Smau Milano 2014 - Stefano FratepietroSmau Milano 2014 - Stefano Fratepietro
Smau Milano 2014 - Stefano Fratepietro
 
Italgo Information Security Governance
Italgo Information Security GovernanceItalgo Information Security Governance
Italgo Information Security Governance
 
General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary
 
sergio fumagalli il gdpr e le pmi, i codici di condotta -convegno 17 01 17
sergio fumagalli il gdpr e le pmi, i codici di condotta -convegno 17 01 17sergio fumagalli il gdpr e le pmi, i codici di condotta -convegno 17 01 17
sergio fumagalli il gdpr e le pmi, i codici di condotta -convegno 17 01 17
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
 
GDPR Tutorial - 2 Considerazioni generali - seconda parte
GDPR Tutorial - 2 Considerazioni generali - seconda parteGDPR Tutorial - 2 Considerazioni generali - seconda parte
GDPR Tutorial - 2 Considerazioni generali - seconda parte
 
GDPR Tutorial - 1 Considerazioni generali - prima parte
GDPR Tutorial - 1 Considerazioni generali - prima parteGDPR Tutorial - 1 Considerazioni generali - prima parte
GDPR Tutorial - 1 Considerazioni generali - prima parte
 
GDPR Tutorial - 3 Titolari, responsabili e soggetti
GDPR Tutorial - 3 Titolari, responsabili e soggettiGDPR Tutorial - 3 Titolari, responsabili e soggetti
GDPR Tutorial - 3 Titolari, responsabili e soggetti
 
Privacy e protezione del dato. Gli adempimenti del nuovo Regolamento UE 679/2...
Privacy e protezione del dato. Gli adempimenti del nuovo Regolamento UE 679/2...Privacy e protezione del dato. Gli adempimenti del nuovo Regolamento UE 679/2...
Privacy e protezione del dato. Gli adempimenti del nuovo Regolamento UE 679/2...
 
Highlights of the Singapore Personal Data Protection Act 2012
Highlights of the Singapore Personal Data Protection Act 2012Highlights of the Singapore Personal Data Protection Act 2012
Highlights of the Singapore Personal Data Protection Act 2012
 
La sicurezza nel regolamento 679/2016 (GDPR)
La sicurezza nel regolamento 679/2016 (GDPR)La sicurezza nel regolamento 679/2016 (GDPR)
La sicurezza nel regolamento 679/2016 (GDPR)
 
La Cyber Security spiegata al capo.
La Cyber Security spiegata al capo.La Cyber Security spiegata al capo.
La Cyber Security spiegata al capo.
 
Oss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyOss. Informaton Security & Privacy
Oss. Informaton Security & Privacy
 
Come cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoCome cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeo
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 

Ähnlich wie A to Z of Information Security Management

CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policyRossMob1
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfElyes ELEBRI
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationSyed Azher
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesLearningwithRayYT
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and proceduresStevenSegaert
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 

Ähnlich wie A to Z of Information Security Management (20)

CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 

Mehr von Mark Conway

A to Z of Customer Experience
A to Z of Customer ExperienceA to Z of Customer Experience
A to Z of Customer ExperienceMark Conway
 
A to Z of Business Strategy
A to Z of Business StrategyA to Z of Business Strategy
A to Z of Business StrategyMark Conway
 
Avoid the Mushroom Culture - The 7 deadly sins
Avoid the Mushroom Culture - The 7 deadly sinsAvoid the Mushroom Culture - The 7 deadly sins
Avoid the Mushroom Culture - The 7 deadly sinsMark Conway
 
A to Z of Leadership Qualities
A to Z of Leadership QualitiesA to Z of Leadership Qualities
A to Z of Leadership QualitiesMark Conway
 
A to Z of Building a Winning Team
A to Z of Building a Winning TeamA to Z of Building a Winning Team
A to Z of Building a Winning TeamMark Conway
 
A to Z of Risk Management
A to Z of Risk ManagementA to Z of Risk Management
A to Z of Risk ManagementMark Conway
 
A to Z of Business Continuity Managment
A to Z of Business Continuity ManagmentA to Z of Business Continuity Managment
A to Z of Business Continuity ManagmentMark Conway
 

Mehr von Mark Conway (7)

A to Z of Customer Experience
A to Z of Customer ExperienceA to Z of Customer Experience
A to Z of Customer Experience
 
A to Z of Business Strategy
A to Z of Business StrategyA to Z of Business Strategy
A to Z of Business Strategy
 
Avoid the Mushroom Culture - The 7 deadly sins
Avoid the Mushroom Culture - The 7 deadly sinsAvoid the Mushroom Culture - The 7 deadly sins
Avoid the Mushroom Culture - The 7 deadly sins
 
A to Z of Leadership Qualities
A to Z of Leadership QualitiesA to Z of Leadership Qualities
A to Z of Leadership Qualities
 
A to Z of Building a Winning Team
A to Z of Building a Winning TeamA to Z of Building a Winning Team
A to Z of Building a Winning Team
 
A to Z of Risk Management
A to Z of Risk ManagementA to Z of Risk Management
A to Z of Risk Management
 
A to Z of Business Continuity Managment
A to Z of Business Continuity ManagmentA to Z of Business Continuity Managment
A to Z of Business Continuity Managment
 

Kürzlich hochgeladen

Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
Understanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key InsightsUnderstanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key Insightsseribangash
 
Unlocking the Secrets of Affiliate Marketing.pdf
Unlocking the Secrets of Affiliate Marketing.pdfUnlocking the Secrets of Affiliate Marketing.pdf
Unlocking the Secrets of Affiliate Marketing.pdfOnline Income Engine
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in managementchhavia330
 
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 DelhiCall Girls in Delhi
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Roland Driesen
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 

Kürzlich hochgeladen (20)

Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
Understanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key InsightsUnderstanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key Insights
 
Unlocking the Secrets of Affiliate Marketing.pdf
Unlocking the Secrets of Affiliate Marketing.pdfUnlocking the Secrets of Affiliate Marketing.pdf
Unlocking the Secrets of Affiliate Marketing.pdf
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in management
 
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
9599632723 Top Call Girls in Delhi at your Door Step Available 24x7 Delhi
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
 

A to Z of Information Security Management

  • 1. A to Z of Information Security © Mark Conway - Oak Consult 2014
  • 2. Introduction The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software. Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
  • 3. Accredited Certification Like other ISO management system standards, certification to ISO27001 is not obligatory. Some organisations choose to implement the standard in order to benefit from the best practice it contains, while others decide they also want to get certified to reassure customers and stakeholders that its recommendations have been followed. Customers are increasingly asking for certification of their suppliers and for that reason many suppliers are also demanding certification of their supply chain. ISO27001 Certification is a shrewd investment for any organisation, acting as an immediate, universally recognised indicator of an independently audited, best practice approach to information security, risk management & the protection of client data. Achieving ISO27001 Certification does require an investment of time, effort & budget from an organisation, but there are significant regulatory, commercial, operational & reputational benefits that will repay the initial investment several times over.
  • 4. Best Practice ISO27002 is a code of practice - a generic, advisory document, not a formal specification like ISO27001. It recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity and availability of information. Organisations that adopt ISO27002 must assess their own information security risks, clarify their control objectives and apply suitable controls (or indeed other forms of risk treatment) using the standard for guidance. Just as ISO 27002 provides a set of guidelines for best practice in implementing an Information Security Management System (ISMS), ISO 27005 provides best practice guidelines for risk management. As part of constructing a suitable and secure information security management system, you must assess the risks to your information and be prepared to mitigate these risks. The standard is structured logically around groups of related security controls. See F
  • 5. Controls An administrative, procedural, technical, physical or legal means of preventing or managing the impact upon an asset of an information security event or incident. The following types of control exist: – Preventative - prevents impact upon an asset. – Detective - detects impact upon an asset. – Reactive - reacts to impact on an asset, includes: Corrective - actively reduces impact. Recovery - restores an asset after impact. Controls may reduce information security threats or impacts, although most reduce vulnerabilities.
  • 6. Data Protection Within the 1998 Data Protection Act, it identifies the security obligation for controllers of personal data. In summary, controllers of personal data are required to: – Implement appropriate technology that will keep data safe and secure, taking into account the state of technological development, the cost of the technology, the nature of the data that is being protected and the harm that might result from a security breach. – Hire reliable staff and take steps throughout their employment to ensure their reliability. This will extend to pre-employment vetting and ongoing monitoring where appropriate. – Use data processors who provide sufficient guarantees about security, who agree to work only pursuant to a contract and who agree to process data only on the controller's instruction. The controller must take appropriate steps to ensure the reliability of the processor. Collectively these provisions address all the major themes within a comprehensive information security management system, and they dovetail nicely with the headline requirements of ISO27001.
  • 7. Employee Engagement Many employees do not understand what information security is all about. You need to explain to your colleagues why information security is needed, the implications of not putting controls in place and how to perform certain tasks. In addition to training, awareness must give an answer to the question Why? - explain to your employees why they should accept information security as a normal working practice. There are many methods you can use, for example: – Include employees in documentation development – Presentations - organise short meetings, conference calls or webinars where you can explain what new policies and procedures are being published and ask your employees for opinions about them, as well as clarify any misunderstandings. – Articles on your intranet or internal newsletters - simple stories (with as many examples as possible) – E-learning - you can create short online training modules that explain the significance of these topics, as well as train your employees in spotting key areas of risk and how they can help mitigate them. – Videos - they are a very powerful presentation method - you can distribute them via email, through the intranet or use them at team / company events. – Team Meetings - use regular meetings that are organised in your organisation to briefly present what you are doing and how it affects your colleagues. – Day-to-day conversations - you have to sell the idea of information security / business continuity. – You should prepare a plan defining which of these methods you will perform, and how often as well as regular measurement as to how effective they are.
  • 8. Fourteen Security Controls Categories Control Categories IS Policies Organisation Human Resources Asset Management Access Control Cryptography Physical & Environmental Operations Communications System Acquisition, Development / Maintenance Supplier Relationships Incident Management Business Continuity Compliance
  • 9. Governance Information security governance is the system by which an organisation directs and controls Information security. It also describes the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. In simplest terms, it is a subset of the discipline of corporate governance, focused, unsurprisingly on information security. As discussed later senior management’s fundamental commitment to information security is the most important aspect of effectively managing the security risk to an organisation’s information assets also referred to as leadership duty of care or due care. To be successful information security governance activities must be driven by the board of directors, senior management and designated key personnel. These activities should be undertaken in a manner consistent with an organisation’s risk management and strategic plans, compliance requirements, organisational structure, culture and management policies. A key aspect of security governance is the need to define decision rights and accountability. Achieving this both in theory and practice requires the right culture, policy frameworks, internal controls and defined practices.
  • 10. Human Resources HR is key to an organisation’s information security health, which is why ISO27001/2 has a section dedicated to all matters HR. It not only outlines possible information security controls, but also includes vital implementation guidance in each of its sections related to the employment lifecycle, providing advice in relation to pre-employment, employment and post-employment activities. 1. Pre-employment phase Covers areas such as screening or vetting and contracts/terms and conditions. 2. Employment stage During employment, all staff members have a duty of care towards their organisation’s information assets. The IT department is usually expected to take care of security but, in fact, it takes care of IT security. The scope of an organisation’s information assets are much broader and are subject to a great many higher risks than IT can reasonably be expected to cover. It is generally accepted that around 80% of organisational data breaches are caused by people rather than technical failure. This may be the result of staff using USBs to carry data that perhaps they shouldn’t be. 3. Post-employment period The post-employment period is a very risky one in terms of organisations’ information security. They can end up being the target of malice, theft or reputational damage. ISO27002 offers clear guidance on suitable policies and procedures for the termination process, which includes advice on how staff should return assets and on how best to remove their access rights. It also offers clear guidelines on how to implement such policies.
  • 11. Integrity, Availability and Confidentiality At the heart of an Information Security Management System is the preservation of confidentiality, integrity and availability of information Other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved Integrity Availability Confidentiality
  • 12. Justification for ISO27001 With information and data now the lifeblood of many organisations, putting measures in place to protect such information from threats, breaches of security and theft is often essential for ensuring the longevity and reputation of your business. – Safeguarding your organisation’s information which will lead to reduced incidents, disruptions and accidents – Provides customers and stakeholders with confidence in how you manage risk – Allows for secure exchange of information and keeps confidential information secure – Reduces customer audit impacts – Allows you to ensure you are meeting your legal obligations – Helps you to comply with other regulations – Potentially provides you with a competitive advantage – Consistency in the delivery of your service or product – Manages and minimises risk exposure and builds a culture of security within the organisation – Develops opportunities for positive PR for your organisation – Reduces possible negative media stories which are generated from data and information breaches – Protects the company, assets, shareholders and directors
  • 13. Knowledge and Training Adequate resources (people, time, money) should be allocated to the operation of the Information Security Management System (ISMS) and all security controls. In addition, the staff who must work within the ISMS (maintaining it and its documentation and implementing its controls) must receive appropriate training. The success of the training program should be monitored to ensure that it is effective. You should also establish a plan for how you will determine the effectiveness of the training. What you will need: – A list of the employees who will work within the ISMS – All of the ISMS procedures used for identifying what type of training is needed and which members of the staff or interested parties will require training – Management agreement to the resource allocation and the training plans Specific documentation is not required in the ISO standards. However, to provide evidence that resource planning and training has taken place, you should have documentation that shows who has received training and what training they have received. In addition, you might want to include a section for each employee that lists what training they should be given.
  • 14. Leadership and Management Buy-in The leadership and management team of an organisation plays an important role in the success of an Information Security Management System. The Management responsibility section of ISO27001 states: Management must make a commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS. Commitment must include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS have the proper training, awareness, and competency. Establishment of the following demonstrates management commitment: – An information security policy; this policy can be a standalone document or part of an overall security manual that is used by an organisation – Information security objectives and plans; again this information can be a standalone document or part of an overall security manual that is used by an organisation – Roles and responsibilities for information security; a list of the roles related to information security should be documented either in the organisation’s job description documents or as part of the security manual or ISMS description documents. – Announcement or communication to the organisation about the importance of adhering to the information security policy. – Sufficient resources to manage, develop, maintain, and implement the ISMS.
  • 15. Measurement and Monitoring To ensure that the ISMS is effective and remains current and fit for purpose ISO27001 requires: – Management to review the ISMS at planned intervals. The review must include assessing opportunities for improvement, and the need for changes to the ISMS, including the security policy and security objectives, with specific attention to previous corrective or preventative actions and their effectiveness. – Periodic internal audits - The results of the reviews and audits must be documented and records related to the reviews and audits must be maintained. To perform management reviews, ISO27001 requires the following input: – Results of ISMS internal and external audits and reviews – Feedback from interested parties – Techniques, products, or procedures which could be used in the organisation to improve the effectiveness of the ISMS – Preventative and corrective actions (including those that might have been identified in previous reviews or audits) – Incident reports, for example, if there has been a security failure, a report that identifies what the failure was, when it occurred, and how it was handled and possibly corrected. – Vulnerabilities or threats not adequately addressed in the previous risk assessment – Follow-up actions from previous reviews – Any organisational changes that could affect the ISMS – Recommendations for improvement To perform internal audits on a periodic basis, you need to define the scope, criteria, frequency, and methods. You also need the procedure that identifies the responsibilities and requirements for planning and conducting the audits, and for reporting results and maintaining records. The results of a management review should include decisions and actions related to: – Improvements to the ISMS – Modification of procedures that effect information security at all levels within the organisation – Resource needs The results of an internal audit should result in identification of nonconformities and their related corrective actions or preventative actions. ISO27001 lists the activity and record requirements related to corrective and preventative actions.
  • 16. Not just a tick in a box If implemented properly and with management buy-in to the process the value that ISO27001 can bring to your organisation can be significant. 87% of respondents to recent BSI Erasmus survey stated that implementing ISO 27001 had a "positive" or "very positive" outcome with 39% reported decreased down-time of IT Systems and the same number a decrease in the number of security incidents Of those that were certified to the standard: – 78% reported increased ability to meet compliance requirements – 56% an increased ability to respond to tenders – 51% an increased external customer satisfaction – 62% increased relative competitive position – ROI / sales increased despite rise in cost to develop and support IT
  • 17. Organisation Objectives An organisation’s ISMS is influenced by the needs and objectives, security requirements, the organisational processes used and the size and structure of the organisation. It is essential that any security arrangements that are to be implemented relate to (or support) overall organisation objectives and strategy. They must be productive and reflect stakeholder requirements. Understanding this relationship enables you to adopt strategies and make recommendations that will promote the business and for information security to enjoy the support of top management.
  • 18. Policy, Process and Procedures An Information Security Policy is the cornerstone of an Information Security Management System. It should reflect the organisation's objectives and the agreed upon management strategy for securing key assets. In order to be useful in providing authority to execute the remainder of the Information Security Management System, it must also be formally agreed upon by executive management. The essence of a good information security policy: – Keep it as short as possible – Keep it relevant to the audience – Keep it aligned to the needs of the business – Keep it aligned to the legislation and regulatory frameworks in which you operate – Do not marginalise it by aiming to "tick the box", as the policy needs to add value to the employee and the overall outcomes and behaviours you are looking to promote – Share it with all of your key stakeholders internally and externally The policy document is exactly that - a high-level statement of the organisation’s position on the chosen topic (the "why"), not to be confused with the procedural documentation which deals with "how" the policy is to be enacted. Procedures are sometimes necessarily much longer documents if they are describing complex processes which must be followed. Ideally, the policy should be brief and to the point about the user’s responsibilities towards the information they collect, use, access or otherwise process, and to sign-post them to the other relevant policies and procedures for the areas in which they operate.
  • 19. Quality Management System Approach If you already have a Quality Management System / ISO9001 certification some of the elements you have implemented for your organisation can be used for your ISMS as well, namely: – Setting the organisation goals and tracking whether they have been achieved - the same mechanism is laid down in both standards. – Management review - the principles for management review are the same for both management systems. – Document management - the procedures used for document management can be used for the same purpose in ISMS with minor adjustments. – Internal audit - the same procedures can be used for both QMS and ISMS, although you might use different people. – Corrective and preventive actions - the procedures used for QMS can be used for the same purpose in ISMS. – Human resources management - the same cycle of HR planning, training and evaluation is used for both management systems. Therefore, if you have already implemented ISO 9001, you will have an easier job implementing ISO27001 - you could save up to 30% of time. Further, you will have cheaper certification audits since certification bodies are offering the so called "integrated audits", which means they will do both ISO 9001 and ISO 27001 in the same audit, charging you a smaller fee compared to separated audits.
  • 20. Risk Assessment and Treatment In order to comply with ISO27001 an organisation must define a risk assessment methodology for Information Security risks. They must identify criteria for accepting risks and identify the acceptable levels of risk and develop a Risk Treatment Plan Risk Assessment Identify all assets of the organisation relating to information security and compile an Asset Register. Identify combinations of threats and vulnerabilities relating to the asset, and then identify the impacts that losses of confidentiality, integrity and availability may have on the asset using an Asset Risk Assessment Report. The impacts take into account the business, legal or contractual obligations that the company has. The assessment then looks at the likelihood of the security failure occurring by a combination of the frequency and the likelihood of the threat A combination of the impact and likelihood of the security failure provides a level of the risk normally in three categories: – Low Risk: No immediate action required although there may be improvements in processes/technology that reduce the impact of the security failure. – Medium Risk: Must be included in the management review of the IMS with actions identified if required and inclusion in the Risk Treatment Plan. – High Risk: Must be included in the Risk Treatment Plan for positive actions to reduce the risk. Risk Treatment Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks. = ISO 31000:2009
  • 21. Standards The ISO27000 family of Standards is broad in scope. As technology evolves, new standards are continually being developed to meet the requirements of information security. ISO 27001 is a specification. It sets out specific requirements, all of which must be followed, and against which an organisation's Information Security Management System (ISMS) can be audited and certified. All the other Standards in the ISO27000 family are Codes of Practice. They provide non-mandatory best practice guidelines which organisations may follow, in whole or in part. A key feature of the standards is that they are applicable to any organisation, in any sector, of any size. Key concepts which govern the standards are: – Organisations are encouraged to assess their own information security risks – Organisations should implement appropriate information security controls according to their needs – Guidance should be taken from the relevant standards – Implement continuous feedback and use of the Plan, Do, Check, Act model – Continually assess changes in threat and risk to information security issues.
  • 22. Testing Effective Penetration Testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools, and conducted by a certificated, ethical professional tester. The resulting findings provide a basis upon which security measures can be improved. There are specific points in your Information Security Management System (ISMS) project where penetration testing has a significant contribution to make: – As part of the risk assessment process: uncovering vulnerabilities in any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats. – As part of the Risk Treatment Plan, ensuring that controls that are implemented actually work as designed. – As part of the ongoing corrective action/preventive action and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.
  • 23. Understanding internal and external context A key element of ISO27001 is the organisation’s context both internal and external with regard to information security. A deep understanding should be gained at the outset of an ISO27001 implementation and also reviewed at least annually or when any major changes occur e.g. changes to regulations. External context Any of the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local. (ISO27000) Key drivers and trends having an impact on the objectives of the organisation Relationships with, and perceptions and values of external stakeholders Internal context Organisation’s culture Governance, organisational structure, roles and responsibilities Policies and objectives and the strategies in place to achieve them Capital in terms of resources and knowledge (e.g. money, time, processes, systems, people and technology) Informal and formal information systems, information flows and decision making processes Adopted standards, guidelines, frameworks and models already in place Relationships with internal stakeholders
  • 24. Vulnerabilities A non- exhaustive list of the kind of vulnerabilities you should think about as part of your risk assessments and risk treatments:
  • 25. Who should be in the ISMS Project Team? Your ISMS Project Team should be drawn from senior managers from those parts of your organisation most likely to be impacted by the management system and should also include some functional areas such as IT, facilities, procurement and HR, but absolutely should not be owned or driven by IT. Ideally you would also have an experienced project manager and a board level sponsor that is actively engaged and who chairs project boards.
  • 26. XSS (Cross-Site Scripting) and other Cyber Attacks According to the recently published Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and conducted by PWC, Cyber attacks have continued to grow in frequency and intensity over the last year and the focus seems to have shifted back towards large organisations. The proportion of large organisations that were successfully hacked continues to rise - up to nearly a quarter of respondents this year. One in four large organisations reported penetration of their networks, up by 4% from a year ago. More worryingly, most of the affected companies were penetrated not just once but once every few weeks during the year - nearly a tenth of those affected are being successfully penetrated every day. Small businesses experienced fewer outsider attacks with 12 % of them being penetrated (down from 15% last year). Different industries experience different levels of network penetration attacks. Telecommunication companies were the most affected; nearly a quarter of them reported penetration. Roughly one in six utility companies and banks were also affected. The UK Government have provided some useful guidance for organisations to follow - Cyber security guidance for business
  • 27. Yielding Better Results Investing time and resource upfront with Senior Management, Key Stakeholders and carrying out robust risk assessments within the right contexts will pay dividends on a number of levels. Implementing ISO 27001 requires careful thought, planning, and coordination to ensure a smooth control adoption. The decision of when and how to implement the standard may be influenced by a number of factors, including different business objectives, existing levels of IT maturity and compliance efforts, user acceptability and awareness, customer requirements or contractual obligations, and the ability of the organisation to adapt to change and adhere to internal processes. The more prepared you and your people are to comprehend the need for implementation, accept that some processes will require change and have the commitment to make it happen, the better the results for your organisation.
  • 28. Zipping through ISO27001 I hope that this A to Z of Information Security hasn’t put you off! As you will have seen, there are significant benefits both from a business protection basis and that of bringing on new business. For smaller businesses, based in one building with less than 20 employees, the implementation process doesn’t need to be too arduous and can be completed within a few short months and doesn’t need to cost a fortune. It is a requirement of UKAS accreditation that the certification body does not provide consultancy services which it then itself certifies. Oak Consult can work with you to implement an Information Security Management System that will be fit for accredited certification. As part of our service, we will help you select a certification body whose fees will be appropriate and who can respond appropriately to your need for certification.