ISO 27001 and ISO 27002 provide guidance for establishing an Information Security Management System (ISMS) to ensure confidentiality, integrity, and availability of information. The document discusses key aspects of an ISMS including (1) defining information security and risks, (2) selecting appropriate controls based on a risk assessment, and (3) implementing the Plan-Do-Check-Act model to establish, operate, monitor, and improve the ISMS over time. Management commitment, clear roles and responsibilities, training, and regular reviews are critical to the successful implementation and maintenance of an ISMS.
Boost PC performance: How more available memory can improve productivity
Information Security Management Systems(ISMS) By Dr Wafula
1. ISO 27001 and ISO
27002:2005
INFORMATION SECURITY MANAGEMENT
SYSTEMS(ISMS)
Dr Muliaro J Wafula PhD,FCCS
2. Aims/objectives
1. Introduction
2. Info security stds
◦ Clauses
◦ Control objectives
◦ controls
3. ISMS Implementation using PDCA
Model
Dr Muliaro-ISMS 2
3. Information Security (IS) Defn
Why IS?
1. Ensure business continuity
2. Reduce/prevent damage on business
3. Ensure preservation of confidentiality, integrity and
availability of info. Also authenticity , accountability,
non-repudation and reliability enhanced.
4. Interconnection of networks pose risk
5. Trends in distributed computing
6. Participation of customers/employees/stakeholder
7. Marketing of products/services
8. Internal management tool-for control & confidence
9. Dependence on Info systems-vulnerable to IS
threats
10. Information, systems & networks are key business
assets
Dr Muliaro-ISMS 3
4. Information Security
Management System (ISMS)
Defination:-
that part of overall magmt
system, based on business risk
approach, to
establish, implement, operate, monitor
, review, maintain and improve info
security.
A management process with 3 key
components:
◦ Confidentiality-available to authorized
only
◦ Integrity-accurate and complete
Dr Muliaro-ISMS 4
6. Info security risks
Info theft
Intrusion and subversion of system
resources
Denial of services
Loss
Corruption
Masquerade
Paper document
What are the most common IS mistakes
made by individuals?
Dr Muliaro-ISMS 6
7. Common IS mistakes
1. Unattended comp. 1. Loose talk about
left on p/word in public
2. Bad password 2. Getting into rush &
etiquette-no default bypassing key
3. Laptops stolen security measures
4. Keeping p/words 3. Vague knowledge
on post-it notes of security policy
5. Opening e-mail 4. Non-reporting of
attachments from security violations
strangers 5. Late in updating
6. Check in/out
workers ethics
Dr Muliaro-ISMS 7
8. Selection of Controls
Its expenditure need to balance
against business harm/risk
Common ones include:
◦ Data protection and privacy of personal
information (15.1.4)
◦ Protection of org. records (15.1.3)
◦ Intellectual property rights (15.1.2)
◦ Information security policy document
(5.1.1)
◦ Business continuity mgt (14) etc
Dr Muliaro-ISMS 8
9. ISO 27002:2005
Provides guidance on best practices
for ISM
Prime objectives are:
◦ A common basis for organizations
◦ Build confidence in inter-organizational
dealings
It defines a set of control objectives,
controls and implementation guidance.
Dr Muliaro-ISMS 9
10. ISO 27001:2005
Specifies requirements for
establishing, implementing, operating,
monitoring, reviewing, maintaining,
and improving a documented ISMS
Its designed to ensure adequate
security controls to protect info assets,
and documenting ISMS
Applicable for assessment and
certification
Dr Muliaro-ISMS 10
11. Clauses
Clause 4-8 are mandatory.
How would you ensure that
management:
◦ Management is committed to IS?
◦ Establishes roles and responsibilities for
IS?
◦ Provides training, awareness and
competency?
◦ Carry out review of the ISMS?
Dr Muliaro-ISMS 11
12. PDCA Model: Establishment &
Mgmt of ISMS (plan)
1. Scope and boundaries
2. Policy/objectives
3. Define risk assessment approach
4. Identify risk
5. Analyse and evaluate risks
6. Identify and evaluate options of risk
treatment
7. Select control objectives and controls
8. Obtain mgmt approval on residual risk
9. Obtain mgmt authorization to implement
and operate the ISMS
10. Prepare statement of applicability
Dr Muliaro-ISMS 12
13. PDCA Model: Implementation &
Operation of ISMS (Do)
1. Formulate risk treatment plan
2. Implement risk treatment plan
3. Define how to measure effectiveness of
selected controls
4. Implement controls selected to meet
control objectives
5. Implement training and awareness
6. Manage operations and resources
7. Implement procedures and other
controls
Dr Muliaro-ISMS 13
14. PDCA Model: Monitoring &
reviewing of ISMS (Check)
1. Execute monitoring procedures and other
controls
2. Undertake regular reviews of the
effectiveness of ISMS
3. Measure effectiveness of controls
4. Review risks assessments at planned
intervals
5. Review level of residual risk and identified
acceptable risk
6. Internal ISMS audit/magmt review
7. Update security plans
8. Records actions and events
Dr Muliaro-ISMS 14
15. PDCA Model: Maintaining &
Improving of ISMS (ACT)
1. Implement identified improvements
2. Take appropriate corrective and
preventive actions
3. Communicate the actions and
improvements
4. Ensure improvements achieve
intended objectives
Dr Muliaro-ISMS 15
16. ISMS Critical Success
Factors
1. Info security policy, objectives, and activities that reflect
business objectives
2. An approach and framework to implementing, maintaining,
monitoring, and improving IS that is consistent with org.
culture
3. Visible support and commitment from all levels of
management
4. A good understanding of the information security
requirements, risk assessment, and risk management.
5. Effective marketing of IS to all managers, employees, and
other parties to achieve awareness
6. Distribution of guidance on IS policy and std to all
managers/employees/stakeholders
7. Funding IS management activites
8. Providing appropriate awareness , training, and education
9. Establishment of an effective IS incident mgmt process
10. Implementation of a measurement system for performance
in IS mgmt and feedback info for improvment
Dr Muliaro-ISMS 16
17. JKUAT Information Security Policy
(JISP)
The specific objectives of information security
are to:
◦ Protect information resources from unauthorized
access;
◦ Ensure the continuity of systems processing
services;
◦ Guarantee the privacy and accuracy of
information resources;
◦ Allow proper restoration of the functionality of
damaged resources;
◦ Prevent and detect possible threats, violations
and security incidents
Dr Muliaro-ISMS 17