Download ISO27001 and 27002

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts

Mobile security wikipedia , lookup

IT risk management wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Computer security wikipedia , lookup

Information security wikipedia , lookup

Transcript 
ISO27001 and 27002
Removing the Smoke & Mirrors
Ken Anderson
AGENDA
1. History of ISO and Timeline
2. Overview of ISO 27000
3. Threats and Impacts ISO addresses
4. Objectives and benefits for measuring security
5. Best Practices
February 2008
Overview - ISO 27000
History of ISO - Timeline
1992
The Department of Trade and Industry (DTI), which is part of the UK
Government, publish a 'Code of Practice for Information Security
Management'.
1995
This document is amended and re-published by the British Standards Institute
(BSI) in 1995 as BS7799.
1996
Support and compliance tools begin to emerge, such as COBRA.
David Lilburn Watson becomes the first qualified certified BS7799 c:cure
Auditor
1999
The first major revision of BS7799 was published. This included many major
enhancements.
Accreditation and certification schemes are launched. LRQA and BSI are the
first certification bodies.
February 2008
Overview - ISO 27000
History of ISO – The Timeline
2000
In December, BS7799 is again re-published, this time as a fast tracked ISO
standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799).
2001
The 'ISO 17799 Toolkit' is launched.
2002
A second part to the standard is published: BS7799-2. This is an Information
Security Management Specification, rather than a code of practice. It begins
the process of alignment with other management standards such as ISO
9000.
2005
A new version of ISO 17799 is published. This includes two new sections, and
closer alignment with BS7799-2 processes..
2005
ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a
specification for an ISMS (information security management system), which
aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001
February 2008
Overview - ISO 27000
Where did 17799 come from?
• BS7799 was conceived, as a technology-neutral, vendorneutral management system that, properly implemented,
would enable an organization's management to assure
itself that its information security measures and
arrangements were effective.
• From the outset, BS7799 focused on protecting the
availability, confidentiality and integrity of organizational
information and these remain, today, the driving objectives
of the standard.
• BS7799 was originally just a single standard, and had the
status of a “Code of Practice”. In other words, it provided
guidance for organizations, but hadn't been written as a
specification that could form the basis of an external third
party verification and certification scheme.
February 2008
Overview - ISO 27000
Overview – ISO 27000 (base standard)
Published standards
ISO/IEC 27001 - the certification standard against which organizations' ISMS may be
certified (published in 2005)
ISO/IEC 27002 - the re-naming of existing standard ISO 17799 (last revised in 2005,
and renumbered ISO/IEC 27002:2005 in July 2007)
ISO/IEC 27006 - a guide to the certification/registration process (published in 2007)
In preparation
ISO/IEC 27000 - a standard vocabulary for the ISMS standards
ISO/IEC 27003 - a new ISMS implementation guide
ISO/IEC 27004 - a new standard for information security management
measurements
ISO/IEC 27005 - a proposed standard for risk management
ISO/IEC 27007 - a guideline for auditing information security management systems
ISO/IEC 27011 - a guideline for telecommunications in information security
management system
ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare
industry
February 2008
Overview - ISO 27000
ISO/IEC 27001
ISO/IEC 27001 certification usually involves a three-stage audit process:
Stage 1 is a "table top" review of the existence and completeness of key
documentation such as the organization's security policy,
Statement of Applicability (SoA) and Risk Treatment Plan (RTP).
Stage 2 is a detailed, in-depth audit involving testing the existence and
effectiveness of the information security controls stated in the
SoA and RTP, as well as their supporting documentation.
Stage 3 is a follow-up reassessment audit to confirm that a previouslycertified organization remains in compliance with the standard.
Certification maintenance involves periodic reviews and reassessments to confirm that the ISMS continues to operate as
specified and intended.
February 2008
Overview - ISO 27000
ISO/IEC 27002
ISO/IEC 27002 provides best practice recommendations on
IS security management systems (ISMS).
The standard contains the following twelve main sections:
1. Risk Assessment – determining asset vulnerability
2. Security Policy - management direction
3. Organization of Information Security - governance of
information security
4. Asset Management - inventory and classification of
information assets
5. Human Resources Security - security aspects for
employees joining, moving and leaving an organization
6. Physical and Environmental Security - protection of the
computer facilities
February 2008
Overview - ISO 27000
ISO/IEC 27002
7. Communications and Operations Management management of technical security controls
8. Access Control - restriction of access rights to networks,
systems, applications, functions and data
9. Information Systems Acquisition, development and
maintenance - building security into applications
10. Information Security Incident Management anticipating and responding appropriately to security
breaches
11. Business Continuity Management - protecting,
maintaining and recovering business-critical processes
and systems
12. Compliance - ensuring conformance with information
security policies, standards, laws and regulations
February 2008
Overview - ISO 27000
ISO/IEC 27002
Within each section, information security controls and their
objectives are specified and outlined.
Specific controls are not mandated since:
• Each organization is expected to undertake a structured
information security risk assessment process to determine
its specific requirements before selecting controls that are
appropriate to its particular circumstances.
• It is practically impossible to list all conceivable controls in
a general purpose standard. Industry-specific
implementation guidance for ISO/IEC 27001 and 27002
are anticipated to give advice tailored to organizations in
the telecomms, financial services, healthcare, lotteries
and other industries.
February 2008
Overview - ISO 27000
ISO 27002 Summary
(Eye Test)
February 2008
Overview - ISO 27000
February 2008
Overview - ISO 27000
Information security threats of 2008
CISSP / ISO27k implementers forum identifies the following threats:
• Imposition of legal and regulatory obligations.
• Cyber-criminals
• Malware, Trojans
• Phishers
• Spammers
• Negligent staff
• Storms, tornados, floods - Acts of God
• Hackers
• Unethical Employees who misuse/misconfigure system security
functions
• Unauthorized access, modification, disclosure of, information assets
• Nations attacking critical information infrastructures to cause disruption.
• Technical advances that can render encryption algorithms obsolete
February 2008
Overview - ISO 27000
Information security impacts
Resulting information security incidents can cause:
• Disruption to organizational routines and processes
• Direct financial losses through information theft and fraud
• Decrease in shareholder value
• Loss of privacy
• Reputational damage causing brand devaluation
• Loss of confidence in IT
• Expenditure on information security assest and data damaged, stolen,
corrupted or lost in incidents
• Loss of competitive advantage
• Reduced profitability
• Impaired growth due to inflexible infrastructure/system/application
environments
• Injury or loss of life if safety-critical systems fail
February 2008
Overview - ISO 27000
Objectives of measuring security
So what are the objectives of measuring security?
• To show ongoing improvement;
• To show compliance (with Standards, contracts, SLAs,
OLAs, etc);
• To justify any future expenditure (new security software,
training, people, etc);
• ISO 27001 certification requires it. Other Management
Systems also require it – ISO 9001, ISO 20000;
• To identify where implemented controls are not effective in
meeting their objectives;
• To provide confidence to senior management and
stakeholders that implemented controls are effective.
February 2008
Overview - ISO 27000
Benefits of measuring security
So what are the benefits of measuring security?
• Actually eases process of monitoring the effectiveness of
the ISMS (e.g. less labor intensive, for example, if using
tools, and provides a means of self checking);
• Proactive tools to measure / prevent problems arising at a
later date (e.g. network bottlenecks, disk clutter,
development of poor human practices);
• Reduction of incidents, etc;
• Motivates staff when senior management set targets;
• Tangible evidence to auditors, and assurance to senior
management that you are in control – i.e. Corporate
Information Assurance (Corporate Governance), and top
down approach to Information Assurance.
February 2008
Overview - ISO 27000
What should be measured
They have been broken down into the following categories:
1. Management Controls: Security Policy, IT Policies,
Security Procedures, Business Continuity Plans, Security
Improvement Plans, Business Objectives, Management
Reviews
2. Business Processes: Risk Assessment & Risk
Treatment Management Process, Human Resource
Process, SOA selection process, Media Handling Process
3. Operational Controls: Operational Procedures, Change
Control, Problem Management, Capacity Management,
Release Management, Back up, Secure Disposal,
Equipment off site
4. Technical Controls: Patch Management, Anti-Virus
Controls, IDS, Firewall, Content Filtering
February 2008
Overview - ISO 27000
What needs to be measured?
Measurement can be achieved against:
• A particular security control or objective;
• A group of controls;
• Against main controls within a Standard;
• Specific controls within an IT component.
February 2008
Overview - ISO 27000
Process for deciding which controls should be used.
First, you need to:
• Confirm relevance of controls through risk assessment;
• Define objectives, ensuring they map back to the
business;
• Use existing Indicators wherever possible, e.g. in ITIL
terms, KPIs:
– A KPI helps a business define progress towards a particular goal;
– KPIs are measurements critical to the success of the business.
• Within the ISMS audit framework, identify controls which
can be continuously monitored, using chosen technique;
• Before using any tools, confirm the objectives with senior
managers as well as staff. Corroborate with third parties,
or through SLAs/OLAs where internal third parties are
concerned e.g. ISO15000 (ITIL);
February 2008
Overview - ISO 27000
Process for deciding which controls should be used.
1. Establish a baseline, against which all future
measurements can be contrasted/compared;
2. Provide periodic reports to appropriate management
forum/ISMS owners (show graphs, pictures paint a
thousand words);
3. Identify Review Input – agreed recommendations,
corrective actions, etc;
4. Implement improvements within your Integrated
Management Systems (IMS) e.g. merged ISO’s 9001,
14000, 27001, 20000;
5. Establish/agree new baseline, review the output, apply the
PDCA approach (Plan – Do – Check – Act).
February 2008
Overview - ISO 27000
Measuring the effectiveness of Security
Apply the vulnerability management lifecycle...
 Inventory assets
 Identify
vulnerabilities
 Develop
baseline
 Prioritize based on
vulnerability data,
threat data, and
asset classification
plan
 Monitor known
vulnerabilities
 Watch unpatched
systems
 Alert other
suspicious activity
 Eliminate highpriority
vulnerabilities
 Establish controls
 Demonstrate
progress
February 2008
Overview - ISO 27000
Regulatory Concerns – why look at ISO
A lot to worry about:
• FOIP
• PIPEDA
• Government concerns (e.g. Systrust, GCCR)
• Payment Card Industry (PCI)
• CSOX (Bill 198)
• NERC (Electric Regulatory)
• Cross border regulations (HIPPA, GLBA)
• ISA SP 99 (Future Industrial Standard?)
• There will be more to follow ……..
February 2008
Overview - ISO 27000
Why Best Practices are Important!
Today, the effective use of best practices can help avoid reinventing wheels, optimize the use of scarce IT resources
and reduce the occurrence of major IT risks, such as:
– Project failures
– Wasted investments
– Security breaches
– System crashes
– Failures by service providers to understand and meet
customer requirements
February 2008
Overview - ISO 27000
Why Best Practices are Important!
COBIT, ITIL and ISO 17799 are valuable to the ongoing growth and
success of an organization because:
– Companies are demanding better returns from IT investments
– Best practices help meet regulatory requirements for IT controls
– Organizations face increasingly complex IT-related risks
– Organizations can optimize costs by standardizing controls
– Best practices help organizations assess how IT is performing
– Management of IT is critical to the success of enterprise strategy
– They help enable effective governance of IT activities
– A management framework helps staff understand what to do
(policy, internal controls and defined practices)
– They can provide efficiency gains, less reliance on experts, fewer
errors, increased trust from business partners and respect from
regulators
February 2008
Overview - ISO 27000
SUMMARY
•
•
•
•
•
ISO started as a management system
ISO 17799 (BS7799) has become a defacto IT standard
ISO 27000 takes standards to a new level
Most organizations are using or looking at the standard for help
Many more uses down the road
February 2008
Overview - ISO 27000
ISO 27000 Reference Links
http://www.iso.org/iso/home.htm
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
http://www.standardsglossary.com/
http://isotc.iso.org/livelink/livelink/fetch/2000/2122/327993/customview.html?func=ll&o
bjId=327993
http://en.wikipedia.org/wiki/ISO_27000
http://www.27000-toolkit.com/
http://www.iso27001security.com/
http://www.praxiom.com/27001.htm
http://www.information-security-policies-and standards.com/standard/index.htm
http://www.informationshield.com/iso17799.html
February 2008
Overview - ISO 27000
QUESTIONS ?
February 2008
Overview - ISO 27000
Related documents
Simplified standards process v5-6
Simplified standards process v5-6
ISO 14971 is an international standard for risk management of
ISO 14971 is an international standard for risk management of
Internet Content - Casualty Actuarial Society
Internet Content - Casualty Actuarial Society
Red hat Installation 2
Red hat Installation 2
Ms. Connie Sham Presentation
Ms. Connie Sham Presentation
Course Schedule
Course Schedule
MKT 543 Chap 13 Key PPT - Cal State LA
MKT 543 Chap 13 Key PPT - Cal State LA
BVQi Fact Sheet - Bureau Veritas
BVQi Fact Sheet - Bureau Veritas
Statement regarding Use of ISO 10993
Statement regarding Use of ISO 10993
Read More
Read More
Document
Document