Information Security Management Systems

An ISO 27001 Introduction

Mahmood Justanieah

ISACA-Jeddah Technical Meeting

18-March-2009

Slide 1
19h00
 Information Security
 ISO 27001: 2005 and ISO 27002:2005
 Control objectives and controls
 Deffrinces between ISO 27001 & other Standards
ITIL, Cobit, ISO 20000
19h45:
 Questions & Answers
20h00
 Closure

Slide 2
 Section 1
Information Security

Slide 3
Scenario
► Compliance requirements, new notification laws and the growing of
breaches have made organizations aware they need a structured
approach to data security.
► Organizations are increasingly dependent on information assets

► Information users (internal & external) are demanding increased

availability
► The number of incidents that threaten the continuity of operations is
growing
► A single security breach can:
 destroy a company’s Image
 depress the value of the business
 erode the “bottom line”; and
 compromise future earnings

Slide 4
Data breach costs
► For 2007, per-record compromised costs continued to increase (2007 Annual
Study: US Cost of Data Breach- research conducted by Ponemon Institute LLC).
► The average total cost per reporting company was more than 6.3 million US
Dollars per breach and ranged between 225.000 to almost 35 million

Slide 5
Cause of data breach
► Lost or stolen laptops and other devices such as USB flash drivers were the
most significant source of a data breach. (2007 Annual Study: US Cost of Data
Breach- research conducted by Ponemon Institute LLC)

Slide 6
Risks and Threats
► Data Breach
 Media attention
 Breach notifications
 Brand degradation
 Government Agency Audit
► Customer Complaint
 Government Agency s finding/order
 Litigation
 Loss of customer
► Non-Compliance
 Restrictions on business activities
 Loss of a contract
 New privacy controls
 Publicly named through a
Commissioner’s order or legal
proceedings
► Over-Compliance
 Unnecessary restrictions on business
activities
 Decreased customer satisfaction
 Competitive disadvantage
Slide 7
Information as an Asset
► Information is:

• ‘An asset that, like other important business assets, is essential

to an organization’s business and consequently needs to be
suitably protected.’
• Source: ISO/IEC 27002:2005 Section 0.1

► Asset Definition:

• “anything that has value to the organization”

• Source: ISO/IEC 27001:2005, 3.1

Slide 8
Information Security not IT Security
► Information must be protected throughout its entire lifecycle:
 Creation
 Storage
 Processing
 Distribution

► Information must be protected independent from its format or media

► Not IT

 Paper document (on desks, in waste bins, left on photocopiers)

 Whiteboards conversations overheard
 Conversations on public transports
 ………
 People

Slide 9
Information Security

► Information Security

• “preservation of confidentiality, integrity and availability of

information; in addition, other properties, such as authenticity,
accountability, non-repudiation, and reliability can also be involved”

• Source: ISO/IEC 27001:2005

► Confidentiality: Ensuring that information is accessible only to those

authorized to have access. Clause 3.3 of ISO/IEC 27001

► Integrity: Safeguarding the accuracy and completeness of information and

process methods. Clause 3.8 of ISO/IEC 27001

► Availability: Ensuring that authorized users have access to information and

associated assets when required. Clause 3.2 of ISO/IEC 27001

Slide 10
Information Security Management System

► Information Security Management System (ISMS)

 That part of the overall management system, based on a business risk

approach, to establish, implement, operate, monitor, review, maintain and
improve information security
 Is a Management Process and Not a technological process
 Strategic decision of an organization
• Design and implementation
• Needs and objectives
• Security requirements
• Processes employed
• Size and structure of the organization

• Scaled with ‘needs’

Slide 11
 Section 2
ISO 27001: 2005 and ISO 27002:2005

Slide 12
The History of ISO 27001

1992
The Department of Trade and Industry (DTI), which is part of the UK Government,
publish a 'Code of Practice for Information Security Management'.
1995
This document is amended and re-published by the British Standards Institute (BSI) in
1995 as BS7799.
1996
Support and compliance tools begin to emerge, such as COBRA.
David Lilburn Watson becomes the first qualified certified BS7799 Auditor
1999
The first major revision of BS7799 was published. This included many major
enhancements.
Accreditation and certification schemes are launched. LRQA and BSI are the first
certification bodies.
2000
In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It
becomes ISO 17799 (or more formally, ISO/IEC 17799).

Slide 13
The History of ISO 27001

2002
A second part to the standard is published: BS7799-2. This is an Information
Security Management Specification, rather than a code of practice. It begins
the process of alignment with other management standards such as ISO
9000.

2005
A new version of ISO 17799 is published. This includes two new sections, and
closer alignment with BS7799-2 processes..

2005
ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a
specification for an ISMS (information security management system), which
aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001.

Slide 14
ISO 27001

► There are two closely related standards:

• ISO/IEC 27001 is a standard specification for requirements of an

Information Security Management Systems (ISMS).
• ISO/IEC 27002:2005 is the standard code of practice and can be
regarded as a comprehensive catalogue of good security things to do.

► ISO/IEC 27001

► Specifies requirements:

 For establishing, implementing, operating, monitoring, reviewing,

maintaining and improving a documented ISMS

► Designed to:

 Ensure adequate security controls to protect information assets,

documenting ISMS
 Give confidence to customers & interested parties

Slide 15
Other related standards
► ISO/IEC 27006 - Information technology -- Security techniques - Requirements for
bodies providing audit and certification of information security management systems

► ISO/IEC FDIS 27011 - Information technology -- Information security management

guidelines for telecommunications

► SSE-CMM, Software Security Engineering – Capability Maturity Model, now

released as ISO 21827: 2002
 Helps organizations determine their security maturity relative to a set of capability
metrics

► Under development
• ISO/IEC 27000 - an introduction and overview for the ISMS Family of Standards, plus a
glossary of common terms
• ISO/IEC 27003 - ISMS implementation guide
• ISO/IEC 27004 - information security management measurements
• ISO/IEC 27005 - information security risk management
• ISO/IEC 27007 - guideline for auditing ISMSs
• ISO/IEC 27011 - guideline for ISMSs in the telecommunications industry
• ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry

Slide 16
Process Approach

► ISO 27001 has adopted a Process Approach, which means an organization

needs to identify and manage many activities in order to function effectively
► Any activity using resources and managed in order to enable the
transformation of Inputs into Outputs, can be considered to be a Process

Inputs >>>>>>> Process >>>>>>> outputs*

*Often, outputs from one process provide inputs into the next

► Process approach for ISMS encourages users to emphasize the importance of:

 understanding an organization’s information security requirements and the need to

establish POLICY and OBJECTIVES for information security
 implementing and operating CONTROLS to manage an organization’s information
security risks in the context of the organization’s overall business risks
 monitoring and reviewing the performance and effectiveness of the ISMS, and
 CONTINUAL IMPROVEMENT based on objective measurement

Slide 17
PDCA
► Plan, Do, Check, Act is to be applied to structure all ISMS processes

► Figure illustrates how an ISMS takes the information security

requirements and expectations of the interested parties and, through
the necessary actions and processes, produces information security
outcomes that meets those requirements and expectations

Slide 18
PDCA
► The continuous change of the company, technology and society
requires a process of continuously evaluating the effectiveness and
efficiency of all security controls and adopting the security system to
changing requirements.
► This results in a control loop known as PDCA model:

 Plan and implement security controls

 Operate security controls
 Monitor the security system and the world around you
 Initiate necessary change of the security system

Slide 19
Compatibility with other management systems
► ISO 27001 is aligned with ISO 9001:2000 and ISO 14001:2004 in order
to support consistent and integrated implementation and operation
with related management standards.
► ISO 27001 illustrates the relationship between its requirements, ISO
9001:2000 and ISO 14001:2004.
► This International Standard is designed to enable an organization to
align or integrate its ISMS with related management system
requirements.
….

Slide 20
Compliance to ISO/IEC 27001

► All clauses in ISO/IEC 27001 are mandatory

 Risk treatment plan based on risk assessment

 Documentation supporting various clauses
 Statement of applicability based on scoping, justifying the choice of
controls
• Annex A lists mandatory controls to choose from
• Valid justification must be documented to eliminate a control
• Chosen controls must be documented for audit purposes
► Certification to the standard requires that all clauses be implemented

Slide 21
Process Flow for Information Security

Define the information

Step 1 security policy Information Security policy

Scope of ISMS
Step 2 Define the scope of ISMS

Information Assets
Step 3
Threats, Vulnerabilities, Undertake risk Risk assessment
Impacts assessment

Results and conclusions

Step 4 Manage the risk Areas of risk to be managed

Organization’s
approach
to risk management Selected control options
Degree of assurance
required

Step 5 Statement of Applicability

Select control objectives
Control Objectives and controls to be
and controls implemented
Additional Controls

Slide 22
Implementation of an ISMS - Plan

► Establish and manage the ISMS

 Scope and boundaries

 Policy / objectives
 Define risk assessment approach
 Identify risks
 Analyse and evaluate the risks
 Identify and evaluate options for treatment of risks
 Select control objectives & controls (Annex A)
 Obtain management approval of the proposed residual risks
 Obtain management authorisation to implement and operate the ISMS
 Prepare a Statement of Applicability

Slide 23
Implementation of an ISMS - Do

► Implement and operate the ISMS

 Formulate risk treatment plan

 Implement risk treatment plan
 Define how to measure effectiveness of selected controls
 Implement controls selected to meet control objectives
 Implement training and awareness
 Manage operations and resources
 Implement procedures and other controls

Slide 24
Implementation of an ISMS - Check

► Monitor and review the ISMS

 Execute monitoring procedures and other controls

 Undertake regular reviews of the effectiveness of the ISMS
 Measure effectiveness of controls
 Review risk assessments at planned intervals
 Review level of residual risk and identified acceptable risk
 Internal ISMS audits / Management review
 Update security plans
 Record actions and events

Slide 25
Implementation of an ISMS - Act

► Maintain and improve the ISMS

 Implement identified improvements

 Take appropriate corrective and preventive actions
 Communicate the actions and improvements
 Ensure improvements achieve intended objectives

Slide 26
 Section 3
Control objectives and Controls

Slide 27
“The only system which is truly secure is one which is
switched off and unplugged, locked in a titanium lined
safe, buried in a concrete bunker, and is surrounded by
nerve gas and very highly paid armed guards. Even
then, I wouldn’t stake my life on it.”

Gene Spafford
Director, Computer Operations, audit, and Security
Technology (COAST - Computer Operations, Audit and
Security Technology)
Purdue University

Slide 28
Purpose of controls in ISO/IEC 27002/27001

► 27002 specifies aspects of an effective information protection

program suitable to the needs of business and industry
► Protection in 27002 is based on assuring integrity, availability, and
confidentiality of corporate information assets
► Assurance is attained through controls that management creates and
maintains within the organization.
► Ten of the controls are considered "Key Controls" because they are
either legislatively required or considered fundamental building
blocks

Slide 29
ISO 27002 domains

► Security Policy

► Organization of Information Security

► Asset management

► Human resources security

► Physical and environmental security

► Communications and Operations Management

► Access Control

► Information Systems Acquisition, Development and Maintenance

► Information Security Incident Management

► Business Continuity Management

► Compliance

Slide 30
Selection of Controls

► Additional control objectives and controls:

 Organization might consider that additional control objectives and

controls are necessary

► Not all the controls will be relevant to every situation:

 Consider local environmental or technological constraints

 In a form that suits every potential user in an organization

Slide 31
Choice of controls
► Controls considered to be essential to an organization from a
legislative point of view include:
• intellectual property rights (see 15.1.2)

• safeguarding of organizational records (see 15.1.3)

• data protection and privacy of personal information (see 15.1.4).

► Controls considered to be common best practice for information

security include:
• information security policy document (see 5.1.1)

• allocation of information security responsibilities (see 6.1.3)

• information security education and training (see 8.2.2)

• reporting information security events (see 13.1.1)

• Information security aspects of business continuity management (see

14.1)

Slide 32
 Section 4
Differences with Other Standards
ITIL, ISO 20000, Cobit

Slide 33
Definitions

COBIT

Cobit stands for Control Objective over Information and Related Technology.
Cobit issued by ISACA (Information System Control Standard) a non profit
organization for IT Governance. The Cobit main function is to help the
company, mapping their IT process to ISACA best practices standard. Cobit
usually choosen by the company who performing information system audit,
whether related to financial audit or general IT audit.

ITIL

ITIL stands for Information Technology Library. ITIL issued by OGC, is a set of
framework for managing IT Service Level. Although ITIL is quite similar with
COBIT in many ways, but the basic difference is Cobit set the standard by
seeing the process based and risk, and in the other hand ITIL set the
standard from basic IT service.

Slide 34
Comparison

ISO27001

ISO27001 is much more different AREA COBIT ITIL ISO27001

between COBIT and ITIL, because Mapping IT Information
Mapping IT
ISO27001 is a security standard, Function
Process
Service Level Security
Management Framework
so it has smaller but deeper
domain compare to COBIT and 4 Process
ITIL. Area and 34 9 Process 10 Domain
Domain
Here is the detail table of
Issuer ISACA OGC ISO Board
comparison between this three
Compliance
standard Implementat Information Manage
to security
ion System Audit Service Level
standard
IT Consulting
Accounting firm,
Firm, IT IT Consulting Security
Consultant
Consulting firm Firm,
Firm Network
Consultant

Slide 35
Slide 36
Q&A

Slide 37
Mahmood.Justanieah@bureauveritas.com

Slide 38