This video focuses on the management clauses of ISO 27001:2013 standards. The management clause 6 of ISMS framework relates to 'Planning'.
The 'General' and 'Risk Assessment' sections are explained in this presentation.- by Software development company in india
Ref:
http://www.ifour-consultancy.com
http://www.ifourtechnolab.com
** Custom software development companies
2. Planning- ISMS requirements
It is not enough to do your best; you must know what to do and then do your
best. – W. Edwards Deming
An organization needs to establish its strategic objectives and should identify
risks and opportunities and relate them to the scope of ISMS.
Following are the pre-requisites for planning phase which focuses on
establishing an effective and sustainable ISMS:
Management commitment to security
Security policy
Security strategy and plan
Security Measures
Web development company Indiahttp://www.ifourtechnolab.com
3. Planning – ISMS requirements (continued)
ISO 27001:2013 classifies planning into:
Clause 6.1: Actions to address risks and opportunities.
Clause 6.1.1: General
Clause 6.1.2: Information security risk assessment
Clause 6.1.3: Information security risk treatment
Clause 6.2: Information security objectives and planning to achieve them.
Planning for the ISMS requirements is done keeping these factors in mind:
Size of the organization
Nature of its business
Maturity of the processes in implementing ISO
Commitment of senior management
Web development company Indiahttp://www.ifourtechnolab.com
4. Planning process
Clause 6.1 Actions to address risk and opportunities
Determine
internal issues
Determine
interested parties
& requirements
Determine
external issues
Methods,
criteria for risks
& opportunities
Determine risks &
opportunities
Intended outcomes,
Prevent or reduce undesired effects,
Continual improvement
Methods of prevention
and reduction of
undesired effects
Plan actions to
address risks &
opportunities
Acceptable level of risk
proportional to
potential impact
Action plan & how to
evaluate action &
integrate into processes
Implement actions
Web development company Indiahttp://www.ifourtechnolab.com
5. Establish an ISMS
Clause 6.1 (Continued)
Web development company Indiahttp://www.ifourtechnolab.com
6. Clause 6.1.2 Information security risk assessment
Risk is the probability of occurrence of an incident that causes harm to an
informational asset.
Purpose of risk assessment:
Threats to organizations (i.e., operations, assets, or individuals) or threats directed
through organizations against other organizations or the nation.
Vulnerabilities - internal and external to organizations.
Adverse impact to organizations that may occur, given the potential for threats exploiting
vulnerabilities.
The likelihood that harm will occur.
Clause 6.1.2 focuses on:
Defining and information security risk assessment process.
Assessing the organization’s information security risks.
Web development company Indiahttp://www.ifourtechnolab.com
7. Clause 6.1.2 (Continued)
Defining an information security risk assessment process
How are you going to perform risk assessment process:
The organization shall apply & define risk assessment process that:
Establishes and maintains information security risk criteria including:
Risk acceptance criteria
Criteria for performing information security risk assessments
How are you going to ensure that your repeatedly performed risk assessments
produce
Consistent
Valid
Comparable results
Web development company Indiahttp://www.ifourtechnolab.com
8. Identify Analyze Evaluate
Clause 6.1.2 (Continued)
RISK ASSESSMENT PROCESS
Web development company Indiahttp://www.ifourtechnolab.com
9. Identify organization’s information security risks
Identify the risks associated with loss of CIA for information within the scope of ISMS.
Identify the risk owners
Analyze organization’s information security risks
Assess the consequences that you might have to face in case the identified risks
materialize
Assess the realistic likelihood of occurrence of the identified risks
Determine the level of risks
Evaluate organization’s information security risks
Compare the risk analysis results with risk criteria established earlier
Prioritize the analyzed risks for risk treatment
Clause 6.1.2 (Continued)
Web development company Indiahttp://www.ifourtechnolab.com
10. Example of step wise risk assessment approach:
Clause 6.1.2 (Continued)
Calculate the asset value
•Cost of actual asset
•Cost to protect the asset
Identify vulnerabilities and categorize them into
•Very high, High, Medium or Low
Identify threats and categorize them into
•Very High, High, Medium or Low
Identify probability and business impact of potential threats
•Frequency of attack and Extent of loss
•Impact severity = Asset value x threat severity x vulnerability severity
Calculate risk score
•Risk Score = Impact severity x probability
•Based on risk score’s level, you need to decide the appropriate risk treatment.
Ascertain and establish controls
•Identify countermeasures and solutions to eliminate potential damage
•Do cost/benefit analysis before implementing the control
Web development company Indiahttp://www.ifourtechnolab.com