SlideShare verwendet Cookies, um die Funktionalität und Leistungsfähigkeit der Webseite zu verbessern und Ihnen relevante Werbung bereitzustellen. Wenn Sie diese Webseite weiter besuchen, erklären Sie sich mit der Verwendung von Cookies auf dieser Seite einverstanden. Lesen Sie bitte unsere Nutzervereinbarung und die Datenschutzrichtlinie.
SlideShare verwendet Cookies, um die Funktionalität und Leistungsfähigkeit der Webseite zu verbessern und Ihnen relevante Werbung bereitzustellen. Wenn Sie diese Webseite weiter besuchen, erklären Sie sich mit der Verwendung von Cookies auf dieser Seite einverstanden. Lesen Sie bitte unsere unsere Datenschutzrichtlinie und die Nutzervereinbarung.
Social Security (Claims and Payments) Regulations 1979 RIDDOR 1985 Management of Health and Safety at Work Regulations
Finance & Commercial
Companies Act 2006 The Employers’ Liability (Compulsory Insurance) Act 1969, Regulations and Amendments Income Tax (Pay As You Earn) Regulations 2003 Records for PAYE, HM Revenues and Customs Other Record Keeping, HM Revenues and Customs Records of Corporation Tax, HM Revenues and Customs Accounts and Records for Your VAT, HM Revenues and Customs Taxes Management Act 1970 Financial Conduct Authority Handbook
Retention of Communications Data under Part 11: Anti-Terrorism, Crime and Security Act 2001, Home Office Data Retention (EC Directive) Regulations 2009
Civil Evidence Act 1968; Police and Criminal Evidence Act 1984; Computer Misuse Act 1990; The Copyright (Computer Programs) Regulations 1992; The Data Protection Act 1998; Freedom of Information Act 2000; Regulation of Investigatory Powers Act 2000; Electronic Communications Act 2000; Dual Use (Export Control) Regulations 2000; Electronic Signatures Regulations 2002; Electronic Commerce Regulations 2002; Privacy and Electronic Communications Regulations 2003.
Information is defined as:
An asset that, like any other important business assets, is essential to an organisation’s
business. Information can exist in many forms. It can be printed or written on paper, stored
electronically, transmitted by post or by using electronic means, shown on films, or spoken in
Information security and its objectives are defined as protecting and preserving the following principles:
Confidentiality - The property that information is not made available or disclosed to unauthorised
individuals, entities or processes;
Integrity - The property of safeguarding the accuracy and completeness of assets;
Availability - The property of being accessible and usable upon demand by an authorised entity.
● ISO27001 history and certification bodies
● ISO27001:2013 Clause 4-10
● ISO27001:2013 Example Annex A controls
• From 1995 to 2015
• Certification bodies
• Compliance or certification?
ISO27001: From 1995 to 2015
● 1995: UK Department for Trade & Industry (DTI) writes and the British
Standards Institute (BSI) publishes BS7799.
● 2000: BS7799 adopted by the International Organisation for
Standardisation (ISO) and International Electrotechnical Committee (IEC)
and renamed ISOIEC 17799.
● 2005: ISO/IEC 27001:2005 is published building in suggested security
controls, risk assessment and management.
● 2014: ISO/IEC 27001:2013 published.
ISO27001: Compliance or certification?
Why? No contractual obligations.
Why? Contractual obligation.
Pros Less cost.
Pros Internationally recognised.
Reduces impact of security on client
Cons Prevents working with some clients.
Adds overhead to working with some
Potentially dedicated resource.
ISO27001:2013 Clause 4-10
• Context of the organisation
• Performance evaluation
ISO27001: Context of the organisation
What? • Organisation issues;
• Interested parties needs and expectations;
• Information Security Management System (ISMS) scope.
How? • PESTEL & SWOT analysis.
• ISMS scope.
What? • Demonstration of top management commitment to information
• Information security policy;
• Roles, responsibilities and authorities.
How? • Security forum;
• Security task force;
• Visible board support.
• Information security policy.
What? • Determine risks and opportunities which need to be addressed;
• Define an information security risk assessment process;
• Define an information security risk treatment process;
• Define information security objectives.
How? • SWOT analysis;
• Risk assessment and treatment templates;
• Simple objectives with simple measures to begin with.
• Risk assessment process;
• Risk treatment process;
• Statement of Applicability;
• Information security objectives.
What? • Determine and provide the resources needed;
• Determine the necessary competence and ensure met;
• Staff awareness;
• Internal and external communication;
• The need for documented information.
How? • Map competency to specific training;
• Staff document set and test;
• Comms plan;
• Quality management control of documents.
• Evidence of competence.
What? • Perform risk assessment;
• Perform risk treatment.
How? • Risk assessment and treatment templates;
• Involve top management.
• Results of risk assessment;
• Results of risk treatment.
What? • Nonconformities;
• Corrective actions;
• Continual improvement.
How? • Nonconformity and corrective action templates;
• Internal and external audit;
• Internal and external penetration testing.
• Nature or nonconformities;
• Corrective actions taken;
• Results of corrective actions.
ISO27001:2013 Annex A Controls
• Mobile device policy
• Access control policy
• Physical entry controls
• Clear desk and clear screen policy
• Addressing security in supplier agreements
• Compliance with Legal and Contractual requirements
Annex A.6.2.1 - Mobile device policy
● Registration of mobile devices;
● Requirements for physical protection;
● Restriction of software installation;
● Restriction of connection to information services;
● Access controls;
● Cryptographic techniques;
● Remote disabling, wipe or lockout.
When using mobile devices, special care should be taken to ensure that business
information is not compromised.
Annex A.9.1.1 - Access control policy
● Relevant legislation and any contractual obligations regarding limitation of
access to data or services;
● Formal authorisation of access requests;
● Periodic review of access rights;
● Removal of access rights;
● Roles with privileged access.
Asset owners should determine appropriate access control rules, access rights and
restrictions for specific user roles towards their assets.
Annex A.11.1.2 - Physical entry controls
● Date and time of entry and departure of visitors should be recorded;
● Visitors should be escorted at all times;
● Access to areas processing or storing sensitive information should be restricted
to authorised individuals only;
● Physical or electronic records of access should be securely maintained;
● All personnel, whether internal or external, should wear visible identification;
● Access rights to secure areas should be regularly reviewed and updated.
Secure areas should be protected by appropriate entry controls to ensure only
authorised personnel are allowed access.
Annex A.11.2.9 - Clear desk and clear screen policy
● Sensitive information should be locked away when not required or if the
desk is vacated;
● Computer screens should be locked and require a password to unlock
after a period of inactivity;
● Paper media should be removed from printers, scanners etc immediately
A clear desk policy for papers and removable storage media and a clear screen policy
for information processing facilities should be adopted.
Annex A.15.1.2 - Addressing security within supplier
● Descriptions of the information and methods for accessing it;
● Legal and regulatory requirements;
● Acceptable use of information;
● Obligations of each party;
● Incident management procedures;
● Training and awareness requirements;
● Right to audit.
Supplier agreements should be established and documented to ensure understanding
between organisations with regard to their obligations regarding information security.
Annex A.18.1 - Compliance with legal and contractual
● Identification of all legal and contractual obligations;
● Data protection and retention;
● Protection of personal identifiable information.
To avoid breaches of legal, statutory, regulatory or contractual obligations related to
information security and of any security requirements.
Scott McAvoy | @5c077mc | Managing Security Consultant
References and links
ISOIEC, Oct 2013. ISO/IEC 27001:2013. Information technology - Security
techniques - Information management systems - Requirements
ISOIEC, Oct 2013. ISO/IEC 27002:2013. Information technology - Security
techniques - Code of practice for information security controls
7safe - Technical infrastructure and application testing training and external
BSI - ISO27001 Implementation and Audit training and external audit
IT Governance - ISO27001 toolkits
27001 Academy - ISO27001 guidance and toolkits
Alien Vault - Security Incident & Event Monitoring (SIEM)
SANS - Top 25 most dangerous errors in software
OWASP - Top 10 most critical data risks