Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Implementing ISO27001 2013

An overview of how to complete the essential elements of ISO27001:2013 and some example controls from ISO27002:2013.

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Implementing ISO27001 2013

  1. 1. Implementing ISO27001:2013 Scott McAvoy | @5c077mc | Managing Security Consultant
  2. 2. Information security Information is defined as: An asset that, like any other important business assets, is essential to an organisation’s business. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Information security and its objectives are defined as protecting and preserving the following principles: Confidentiality - The property that information is not made available or disclosed to unauthorised individuals, entities or processes; Integrity - The property of safeguarding the accuracy and completeness of assets; Availability - The property of being accessible and usable upon demand by an authorised entity.
  3. 3. Agenda ● ISO27001 history and certification bodies ● ISO27001:2013 Clause 4-10 ● ISO27001:2013 Example Annex A controls
  4. 4. ISO27001:2013 • From 1995 to 2015 • Certification bodies • Compliance or certification?
  5. 5. ISO27001: From 1995 to 2015 ● 1995: UK Department for Trade & Industry (DTI) writes and the British Standards Institute (BSI) publishes BS7799. ● 2000: BS7799 adopted by the International Organisation for Standardisation (ISO) and International Electrotechnical Committee (IEC) and renamed ISOIEC 17799. ● 2005: ISO/IEC 27001:2005 is published building in suggested security controls, risk assessment and management. ● 2014: ISO/IEC 27001:2013 published.
  6. 6. ISO27001: Certification bodies
  7. 7. ISO27001: Compliance or certification? Compliance Certification Why? No contractual obligations. Best practice. Why? Contractual obligation. Competitive advantage. Pros Less cost. Less resource. Pros Internationally recognised. Reduces impact of security on client relationships. Shows commitment. Cons Prevents working with some clients. Adds overhead to working with some clients. Cons Expensive. Potentially dedicated resource.
  8. 8. ISO27001:2013 Clause 4-10 • Context of the organisation • Leadership • Planning • Support • Operation • Performance evaluation • Improvement
  9. 9. ISO27001: Context of the organisation What? • Organisation issues; • Interested parties needs and expectations; • Information Security Management System (ISMS) scope. How? • PESTEL & SWOT analysis. Required documentation • ISMS scope.
  10. 10. ISO27001: Leadership What? • Demonstration of top management commitment to information security; • Information security policy; • Roles, responsibilities and authorities. How? • Security forum; • Security task force; • Visible board support. Required documentation • Information security policy.
  11. 11. ISO27001: Planning What? • Determine risks and opportunities which need to be addressed; • Define an information security risk assessment process; • Define an information security risk treatment process; • Define information security objectives. How? • SWOT analysis; • Risk assessment and treatment templates; • ISO27005; • Simple objectives with simple measures to begin with. Required documentation • Risk assessment process; • Risk treatment process; • Statement of Applicability; • Information security objectives.
  12. 12. ISO27001: Support What? • Determine and provide the resources needed; • Determine the necessary competence and ensure met; • Staff awareness; • Internal and external communication; • The need for documented information. How? • Map competency to specific training; • Staff document set and test; • Comms plan; • Quality management control of documents. Required documentation • Evidence of competence.
  13. 13. ISO27001: Operation What? • Perform risk assessment; • Perform risk treatment. How? • Risk assessment and treatment templates; • Involve top management. Required documentation • Results of risk assessment; • Results of risk treatment.
  14. 14. ISO27001: Performance evaluation What? • Monitoring and measuring; • Internal audit; • Management review. How? • Simple measures to begin with; • ISO27004; • Audit programme; • Review plan. Required documentation • Monitoring and measuring results; • Audit programme; • Audit results; • Management review results.
  15. 15. ISO27001: Improvement What? • Nonconformities; • Corrective actions; • Continual improvement. How? • Nonconformity and corrective action templates; • Internal and external audit; • Internal and external penetration testing. Required documentation • Nature or nonconformities; • Corrective actions taken; • Results of corrective actions.
  16. 16. ISO27001:2013 Annex A Controls • Mobile device policy • Access control policy • Physical entry controls • Clear desk and clear screen policy • Addressing security in supplier agreements • Compliance with Legal and Contractual requirements
  17. 17. Annex A.6.2.1 - Mobile device policy ● Registration of mobile devices; ● Requirements for physical protection; ● Restriction of software installation; ● Restriction of connection to information services; ● Access controls; ● Cryptographic techniques; ● Remote disabling, wipe or lockout. When using mobile devices, special care should be taken to ensure that business information is not compromised.
  18. 18. Annex A.9.1.1 - Access control policy ● Relevant legislation and any contractual obligations regarding limitation of access to data or services; ● Formal authorisation of access requests; ● Periodic review of access rights; ● Removal of access rights; ● Roles with privileged access. Asset owners should determine appropriate access control rules, access rights and restrictions for specific user roles towards their assets.
  19. 19. Annex A.11.1.2 - Physical entry controls ● Date and time of entry and departure of visitors should be recorded; ● Visitors should be escorted at all times; ● Access to areas processing or storing sensitive information should be restricted to authorised individuals only; ● Physical or electronic records of access should be securely maintained; ● All personnel, whether internal or external, should wear visible identification; ● Access rights to secure areas should be regularly reviewed and updated. Secure areas should be protected by appropriate entry controls to ensure only authorised personnel are allowed access.
  20. 20. Annex A.11.2.9 - Clear desk and clear screen policy ● Sensitive information should be locked away when not required or if the desk is vacated; ● Computer screens should be locked and require a password to unlock after a period of inactivity; ● Paper media should be removed from printers, scanners etc immediately after use. A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted.
  21. 21. Annex A.15.1.2 - Addressing security within supplier agreements ● Descriptions of the information and methods for accessing it; ● Legal and regulatory requirements; ● Acceptable use of information; ● Obligations of each party; ● Incident management procedures; ● Training and awareness requirements; ● Right to audit. Supplier agreements should be established and documented to ensure understanding between organisations with regard to their obligations regarding information security.
  22. 22. Annex A.18.1 - Compliance with legal and contractual requirements ● Identification of all legal and contractual obligations; ● Data protection and retention; ● Protection of personal identifiable information. To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
  23. 23. Questions? Scott McAvoy | @5c077mc | Managing Security Consultant
  24. 24. References and links ISOIEC, Oct 2013. ISO/IEC 27001:2013. Information technology - Security techniques - Information management systems - Requirements ISOIEC, Oct 2013. ISO/IEC 27002:2013. Information technology - Security techniques - Code of practice for information security controls 7safe - Technical infrastructure and application testing training and external Penetration testing BSI - ISO27001 Implementation and Audit training and external audit IT Governance - ISO27001 toolkits 27001 Academy - ISO27001 guidance and toolkits Alien Vault - Security Incident & Event Monitoring (SIEM) SANS - Top 25 most dangerous errors in software OWASP - Top 10 most critical data risks