SlideShare une entreprise Scribd logo

ISO 27001

n|u - The Open Security Community
n|u - The Open Security Community

ISO 27001 by Sudhanwa Jogalekar @ null Pune Meet, March, 2011

Technologie
1  sur  17
Télécharger pour lire hors ligne
Introduction to ISO/IEC 27000 ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization by Sudhanwa Jogalekar
Sudhanwa Jogalekar • Qualifications: BE, DBM, MCM, (Dip cyberlaw) • Professional certification: ISO 27001 Lead Auditor • Professional experience : 25 years • Academic experience: Syllabus design, paper setting, assessments, QIP, teachers training programs, visiting faculty etc. for Pune, Symbiosis University • FOSS evangelist. Promoting FOSS for 10 years. Conduct FOSS workshops, seminars, training programs, conferences etc.
Various Standards • ISO 9000 (QMS) • ISO 14000 (EMS) • ISO 27000 (ISMS) • ISO 20000 (IT SMS)
ISO 27000 family • ISO/IEC 27001 formal ISMS specification • ISO/IEC 27002 infosec controls guide • ISO/IEC 27003 implementation guide • ISO/IEC 27004 infosec metrics • ISO/IEC 27005 infosec risk management • ISO/IEC 27006 ISMS certification guide • ISO/IEC 27011 ISO27k for telecomms • ISO/IEC 27033-1 network security • ISO 27799 ISO27k for healthcare
ISO 27000 Basics
Why ISO 27001? ● ISO/IEC 27001 is an investment in the company’s future ● A “risk based” management system to help organisations plan and implement an information security management system (ISMS),assists organisations by providing a structured and a proactive approach to information security, by making sure the right people, processes, procedures and technology are in place to protect information assets. ● Help minimise possible harm to organisations that can be caused by deliberate or accidental acts.
Why ISO 27001? ● Framework that will take account of all legal and regulatory requirements. ● Gives the ability to demonstrate and independently assure the internal controls of a company (corporate governance) ● Proves senior management commitment to the security of business and customer information ● Helps provide a competitive edge to the company ● Reduces the amount of time and effort when audited by internal compliance reviews or external audits ● Easier to obtain funding and resources for information security team and security objectives
Why certification? ● Provides a goal, which will help facilitate the implementation of an information security management system and security controls ● Formalizes, and independently verifies, Information Security processes, procedures and documentation ● Independently verifies that risks to the company are properly identified and managed ● Help identify and meet contractual and regulatory requirements ● Demonstrates to customers that security of their information is taken seriously
Certification ● Standard ● Policies ● Regulations ● Mandatory ● Best practices
Certification ● Management Support ● Staff support ● Technical support ● Vendor support – SLA, NDA ● Best practices
Information Security V/S IT Security ● User desktops ● Manager laptops ● Servers ● LAN, WAN ● Server room A/C ● Company bus/car drivers ● Security guard at reception ● Routers ● Fire extinguishers ● Canteen ● Software licenses
ISMS and Asset Management ISMS is “Management assurance mechanism for security of business information assets from potential security breach.” It relates to all types of information, be it paper based or electronic. Secure information is one that ensures Confidentiality, Integrity and Availability. Confidentiality: ensuring that information can only be accessed by those with the proper authorization Integrity: safeguarding the accuracy and completeness of information and the ways in which it is processed Availability: ensuring that authorized users have access to information and associated assets when required
ISMS and Asset Management “Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.” Asset is something that has “value”. Information assets of an organization: Business data, Employee information, Research records Price lists, Tender documents Organization must determine which assets can materially affect the delivery of product/service by their absence or degradation
Information Security… “Information Security is about protecting Information through selection of appropriate Security Controls”. Processed Paper Stored based, ISMS determines Information Transferred Electronic, how information is etc Archived Destroyed Ensuring C, I, A for secure information To protect information assets from potential security breach
Assets and RA/RTP ● Risk Assessment ● Risk Treatment Plan ● Continuous Improvement ● PDCA ● Audit process
ISO 27001 standard • Clause 4: Information Security Management System • Clause 5: Management Responsibility • Clause 6: Internal ISMS Audit • Clause 7: Management Review of the ISMS • Clause 8: ISMS Improvement • Annexure A: Domain, Control Objective & Controls 11 Domains 39 Control Specifies Objectives Satisfies Requirements Objectives 133 Controls
Introduction to ISO/IEC 27000 ??? Questions ??? Coming up Part II (Implementation)

Recommandé

Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 

Recommandé

Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learned
Jisc
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
Pranay Kumar
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 

Contenu connexe

Tendances

NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 

Tendances (20)

Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learned
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 

Similaire à ISO 27001

Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
Muhammad Mudassar
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
kevlekalakala
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
HyTrust
 

Similaire à ISO 27001 (20)

Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Information security
Information securityInformation security
Information security
 
Know more about exin unique information security program
Know more about exin unique information security programKnow more about exin unique information security program
Know more about exin unique information security program
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
 
How to implement a robust information security management system?
How to implement a robust information security management system?How to implement a robust information security management system?
How to implement a robust information security management system?
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
Advanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessAdvanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your Business
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security Management
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
vsRisk - features and benefits.ppt
vsRisk - features and benefits.pptvsRisk - features and benefits.ppt
vsRisk - features and benefits.ppt
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
 
Certified Information Systems Security Professional
Certified Information Systems Security ProfessionalCertified Information Systems Security Professional
Certified Information Systems Security Professional
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 

Plus de n|u - The Open Security Community

Plus de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Dernier

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

ISO 27001

  • 1. Introduction to ISO/IEC 27000 ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization by Sudhanwa Jogalekar
  • 2. Sudhanwa Jogalekar • Qualifications: BE, DBM, MCM, (Dip cyberlaw) • Professional certification: ISO 27001 Lead Auditor • Professional experience : 25 years • Academic experience: Syllabus design, paper setting, assessments, QIP, teachers training programs, visiting faculty etc. for Pune, Symbiosis University • FOSS evangelist. Promoting FOSS for 10 years. Conduct FOSS workshops, seminars, training programs, conferences etc.
  • 3. Various Standards • ISO 9000 (QMS) • ISO 14000 (EMS) • ISO 27000 (ISMS) • ISO 20000 (IT SMS)
  • 4. ISO 27000 family • ISO/IEC 27001 formal ISMS specification • ISO/IEC 27002 infosec controls guide • ISO/IEC 27003 implementation guide • ISO/IEC 27004 infosec metrics • ISO/IEC 27005 infosec risk management • ISO/IEC 27006 ISMS certification guide • ISO/IEC 27011 ISO27k for telecomms • ISO/IEC 27033-1 network security • ISO 27799 ISO27k for healthcare
  • 6. Why ISO 27001? ● ISO/IEC 27001 is an investment in the company’s future ● A “risk based” management system to help organisations plan and implement an information security management system (ISMS),assists organisations by providing a structured and a proactive approach to information security, by making sure the right people, processes, procedures and technology are in place to protect information assets. ● Help minimise possible harm to organisations that can be caused by deliberate or accidental acts.
  • 7. Why ISO 27001? ● Framework that will take account of all legal and regulatory requirements. ● Gives the ability to demonstrate and independently assure the internal controls of a company (corporate governance) ● Proves senior management commitment to the security of business and customer information ● Helps provide a competitive edge to the company ● Reduces the amount of time and effort when audited by internal compliance reviews or external audits ● Easier to obtain funding and resources for information security team and security objectives
  • 8. Why certification? ● Provides a goal, which will help facilitate the implementation of an information security management system and security controls ● Formalizes, and independently verifies, Information Security processes, procedures and documentation ● Independently verifies that risks to the company are properly identified and managed ● Help identify and meet contractual and regulatory requirements ● Demonstrates to customers that security of their information is taken seriously
  • 9. Certification ● Standard ● Policies ● Regulations ● Mandatory ● Best practices
  • 10. Certification ● Management Support ● Staff support ● Technical support ● Vendor support – SLA, NDA ● Best practices
  • 11. Information Security V/S IT Security ● User desktops ● Manager laptops ● Servers ● LAN, WAN ● Server room A/C ● Company bus/car drivers ● Security guard at reception ● Routers ● Fire extinguishers ● Canteen ● Software licenses
  • 12. ISMS and Asset Management ISMS is “Management assurance mechanism for security of business information assets from potential security breach.” It relates to all types of information, be it paper based or electronic. Secure information is one that ensures Confidentiality, Integrity and Availability. Confidentiality: ensuring that information can only be accessed by those with the proper authorization Integrity: safeguarding the accuracy and completeness of information and the ways in which it is processed Availability: ensuring that authorized users have access to information and associated assets when required
  • 13. ISMS and Asset Management “Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.” Asset is something that has “value”. Information assets of an organization: Business data, Employee information, Research records Price lists, Tender documents Organization must determine which assets can materially affect the delivery of product/service by their absence or degradation
  • 14. Information Security… “Information Security is about protecting Information through selection of appropriate Security Controls”. Processed Paper Stored based, ISMS determines Information Transferred Electronic, how information is etc Archived Destroyed Ensuring C, I, A for secure information To protect information assets from potential security breach
  • 15. Assets and RA/RTP ● Risk Assessment ● Risk Treatment Plan ● Continuous Improvement ● PDCA ● Audit process
  • 16. ISO 27001 standard • Clause 4: Information Security Management System • Clause 5: Management Responsibility • Clause 6: Internal ISMS Audit • Clause 7: Management Review of the ISMS • Clause 8: ISMS Improvement • Annexure A: Domain, Control Objective & Controls 11 Domains 39 Control Specifies Objectives Satisfies Requirements Objectives 133 Controls
  • 17. Introduction to ISO/IEC 27000 ??? Questions ??? Coming up Part II (Implementation)