2. What is Information?
•
•
•
•
•
•
•
Current Business Plans
Future Plans
Intellectual Property (Patents, etc)
Employee Records
Customer Details
Business Partners Records
Financial Records
5. Structure of 27000 series
27000 Fundamentals & Vocabulary
27001:ISMS
27005
Risk
Management
27002 Code of Practice for ISM
27003 Implementation Guidance
27004 Metrics & Measurement
27006 Guidelines on ISMS accreditation
6. ISO 27001:2005
• ISO/IEC 27001:2005 formally specifies a management system
that is intended to bring information security under explicit
management control.
• Annex (Control Objectives and Controls )
• 11 Security Domains (A5 A 15)
• Layers of security
• 39 Control Objectives
• Statement of desired results or purpose
• 133 Controls
• Policies, procedures, practices, software controls and organizational
structure
• To provide reasonable assurance that business objectives will be
achieved and that undesired events will be prevented or detected
and corrected
• Exclusions in some controls are possible, if they can be justified???
7. Contains
The standard contains 11 domains(apart from introductory sections)
• Security policy - management direction
• Organization of information security - governance of information security
• Asset management - inventory and classification of information assets
• Human resources security - security aspects for employees joining, moving and
leaving an organization
• Physical and environmental security - protection of the computer facilities
• Communications and operations management - management of technical
security controls in systems and networks
• Access control - restriction of access rights to networks, systems, applications,
functions and data
• Information systems acquisition, development and maintenance - building
security into applications
• Information security incident management - anticipating and responding
appropriately to information security breaches
• Business continuity management - protecting, maintaining and recovering
business-critical processes and systems
• Compliance - ensuring conformance with information security policies,
standards, laws and regulations
8. The PDCA Cycle
• Plan (establishing the ISMS)
• Establish the policy, the ISMS objectives, processes and procedures
related to risk management and the improvement of information
security to provide results in line with the global policies and
objectives of the organization.
• Do (implementing and workings of the ISMS)
• Implement and exploit the ISMS policy, controls, processes and
procedures.
• Check (monitoring and review of the ISMS)
• Assess and, if applicable, measure the performances of the
processes against the policy, objectives and practical experience and
report results to management for review.
• Act (update and improvement of the ISMS)
• Undertake corrective and preventive actions, on the basis of the
results of the ISMS internal audit and management review, or other
relevant information to continually improve the said system.
9. A.5 Security Policy
To provide management direction and support for information
security in accordance with business requirements and relevant
laws and regulations.
•
•
•
•
Approved by Management
Communicated to Employees and relevant external parties
Reviewed at planned intervals
Ensure its continuing suitability, adequacy, and effectiveness.
10. A.6 Organization of Information Security
To manage information security within the organization.
• Management shall actively support security within
organization.
• Co-ordinated by representatives from different parts of
organization.
• Confidentiality and non-disclosure agreements.
• Appropriate contacts with relevant authorities, security
forums and professional associations shall be maintained.
• Independent reviews should be conducted at planned
intervals or when significant changes to the security
implementation occur.
11. A.7 Asset Management
Typical policy statements for Asset Management include:
• All assets shall be clearly identified, documented and regularly
updated in an asset register
• All assets shall have designated owners and custodians listed
in the asset register
• All assets will have the respective CIA (Confidentiality, Integrity
and Availability) rating established in the asset register
• All employees shall use company assets according to the
acceptable use of assets procedures
• All assets shall be classified according the asset classification
guideline of the company
12. A.8 Human Resource Security
Prior to Employment:
• Define roles and responsibilities.
• Background verification
• Terms and Conditions of employment
During Employment
• Application of security according to roles and responsibilities.
• InfoSec awareness, education and training.
• Disciplinary process for employees who have commited
security breach.
Post Termination or Change
• Termination responsibilities
• Return of Assets
• Removal of access rights.
13. A.9 Physical and Environmental Security
Secure Areas
• Physical security perimeter
• Physical entry controls
• Securing offices, rooms and facilities
• Protecting against external and environmental threats
• Guidelines for working in secure areas
• Public access, delivery and loading areas
Equipment Security
• Equipment sitting, support utilities and cabling security
• Maintenance, secure disposal/re-use and removal.
14. A.10 Communications and Operations
Management
Operational procedures and responsibilities
• Documented operating procedures
• Change management
• Segregation of duties
• Separation of development, test and operational facilities
Third Party Service Delivery Management
• Implement security controls, service definition and delivery
levels in agreement.
• Monitoring and review of third party services
• Managing changes to third party services
15. Company
A company may want to adopt ISO 27001 for the following
reasons:
• It is suitable for protecting critical and sensitive information
• It provides a holistic, risk-based approach to secure
information and compliance
• Demonstrates credibility, trust, satisfaction and confidence
with stakeholders, partners, citizens and customers
• Demonstrates security status according to internationally
accepted criteria
• Creates a market differentiation due to prestige, image and
external goodwill
• If a company is certified once, it is accepted globally.
16. Asset Classification
• CONFIDENTIAL: This category refers to asset information that
relates to individuals or is otherwise restricted only to
authorized users, and if disclosed outside the company would
harm the organization, its customers, or its partners.
• RESTRICTED: The restricted level of asset information pertains
to highly sensitive information to the company; which when
disclosed would cause substantial damage to the reputation
and competitive position of the company in the market.
• INTERNAL: This classification refers to asset information that is
potentially available to all personnel within the company, but
is not public.
• PUBLIC: This classification refers to asset information that has
been published or obtainable from a published source, e.g.
the Internet.
17. User Registration
Typical policy statements can include:
• All users shall have a unique user ID based on a standard naming
convention
• A formal authorization process shall be defined and followed for
provisioning of user IDs.
• An audit trail shall be kept of all requests to add, modify or delete
user accounts/IDs
• User accounts shall be reviewed at regular intervals
• Employee shall sign a privilege form acknowledging their access
rights
• Access rights will be revoked for employee changes or leaving jobs
• Privileges shall be allocated to individuals on a ‘need-to-have’ basis.
• A record of all privilege accounts shall be maintained and updated
on regular basis
18. Password Management
Typical organizational password management policies include:
• Users shall be forced to change their passwords at the time of first
use
• Passwords shall have a minimum length of eight characters
• Passwords for all users shall expire in 30/60 days
• A record of five previous passwords shall be maintained to prevent
re-use of these passwords
• A maximum of three successive login failures shall result in a user’s
account being locked out
• Passwords shall not be displayed in clear text when they are being
keyed in
• Passwords must include at least one small character (a-z), one
capital character (A-Z) and one numeric character (0 – 9) / one
special character (@ # $ & / +)
• All password entry tries shall be logged along with date, time, ip
address, machine name, application and user ID for successful,
unsuccessful login attempts
19. Clear Work Environment
Example of clear work environment policies include:
• Critical information shall be protected when not required for
use
• Only authorized users shall use the photocopier machines
• All loose documents from employee’s desks shall be
confiscated at the end of business day
• A users desktop shall not contain reference to any document
directly or indirectly
20. Operating System and
Application Controls
Sample operating system and application control policies include:
• All users in the organization shall have a unique ID
• No systems or application details shall be displayed before log-in
• In the condition of log-in failure, the error message shall not indicate
which part of the credential is incorrect
• The number of unsuccessful log-in attempts shall be limited to 3/5/6
attempts
• During log-in process, all password entries shall be hidden by a
symbol
• The use of system utility program shall be restricted e.g. password
utility
• All operating systems and application shall time out due to inactivity
in 5/10/15/30 minutes
• All applications shall have dedicated administrative menus to control
access rights of users
21. Network Security
Typical policy statements for Network Security include:
• Appropriate authentication mechanisms shall be used to
control the access by remote users.
• Allocation of network access rights shall be provided as per
the business and security requirements
• Two-factor authentication shall be used for authenticating
users using mobile/remote systems
22. Benefits
The key benefits of 27001 are:
• It can act as the extension of the current quality system to
include security
• It provides an opportunity to identify and manage risks to key
information and systems assets
• Provides confidence and assurance to trading partners and
clients; acts as a marketing tool
• Allows an independent review and assurance to you on
information security practices
23. Drawbacks
• It has some things that don’t make sense.
• Some controls define almost the same issues causing
confusion. Like A.9.2.6 (Secure disposal or re-use of
equipment) and A.10.7.2 (Disposal of media)
• Some issues, like relationships with third parties, are scattered
around various clauses of Annex A – you can find it in clause
A.6.2 (External parties), A.8 (Human resources security) and
A.10.2 (Third party service delivery management), and control
A.12.5.5 (Outsourced software development)
• Only 6 controls has the word documented in it. Does that
mean we can implement all others without documentation?
24. Changes made in ISO 27001:2013
• No. of sections have increased from 11 to 14.
• Management and Leadership re defined as two separate
requirements.
• Section 6: Planning and it’s evaluation
• New chapter added on Performance evaluation
25. New Controls
•
•
•
•
•
•
•
•
A.6.1.5 Information security in project management
A.12.6.2 Restrictions on software installation
A.14.2.1 Secure development policy
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2.8 System security testing
A.15.1.1 Information security policy for supplier relationships
A.15.1.3 Information and communication technology supply
chain
• A.16.1.4 Assessment of and decision on information security
events
• A.16.1.5 Response to information security incidents
• A.17.2.1 Availability of information processing facilities