Professional Documents
Culture Documents
Slide 1
19h00
Information Security
ISO 27001: 2005 and ISO 27002:2005
Control objectives and controls
Deffrinces between ISO 27001 & other Standards
ITIL, Cobit, ISO 20000
19h45:
Questions & Answers
20h00
Closure
Slide 2
Section 1
Information Security
Slide 3
Scenario
► Compliance requirements, new notification laws and the growing of
breaches have made organizations aware they need a structured
approach to data security.
► Organizations are increasingly dependent on information assets
Slide 4
Data breach costs
► For 2007, per-record compromised costs continued to increase (2007 Annual
Study: US Cost of Data Breach- research conducted by Ponemon Institute LLC).
► The average total cost per reporting company was more than 6.3 million US
Dollars per breach and ranged between 225.000 to almost 35 million
Slide 5
Cause of data breach
► Lost or stolen laptops and other devices such as USB flash drivers were the
most significant source of a data breach. (2007 Annual Study: US Cost of Data
Breach- research conducted by Ponemon Institute LLC)
Slide 6
Risks and Threats
► Data Breach ► Non-Compliance
Slide 7
Information as an Asset
► Information is:
► Asset Definition:
Slide 8
Information Security not IT Security
► Information must be protected throughout its entire lifecycle:
Creation
Storage
Processing
Distribution
► Not IT
Slide 9
Information Security
► Information Security
Slide 10
Information Security Management System
Slide 11
Section 2
ISO 27001: 2005 and ISO 27002:2005
Slide 12
The History of ISO 27001
1992
The Department of Trade and Industry (DTI), which is part of the UK Government,
publish a 'Code of Practice for Information Security Management'.
1995
This document is amended and re-published by the British Standards Institute (BSI) in
1995 as BS7799.
1996
Support and compliance tools begin to emerge, such as COBRA.
David Lilburn Watson becomes the first qualified certified BS7799 Auditor
1999
The first major revision of BS7799 was published. This included many major
enhancements.
Accreditation and certification schemes are launched. LRQA and BSI are the first
certification bodies.
2000
In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It
becomes ISO 17799 (or more formally, ISO/IEC 17799).
Slide 13
The History of ISO 27001
2002
A second part to the standard is published: BS7799-2. This is an Information
Security Management Specification, rather than a code of practice. It begins
the process of alignment with other management standards such as ISO
9000.
2005
A new version of ISO 17799 is published. This includes two new sections, and
closer alignment with BS7799-2 processes..
2005
ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a
specification for an ISMS (information security management system), which
aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001.
Slide 14
ISO 27001
► ISO/IEC 27001
► Specifies requirements:
► Designed to:
Slide 15
Other related standards
► ISO/IEC 27006 - Information technology -- Security techniques - Requirements for
bodies providing audit and certification of information security management systems
► Under development
• ISO/IEC 27000 - an introduction and overview for the ISMS Family of Standards, plus a
glossary of common terms
• ISO/IEC 27003 - ISMS implementation guide
• ISO/IEC 27004 - information security management measurements
• ISO/IEC 27005 - information security risk management
• ISO/IEC 27007 - guideline for auditing ISMSs
• ISO/IEC 27011 - guideline for ISMSs in the telecommunications industry
• ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry
Slide 16
Process Approach
► Process approach for ISMS encourages users to emphasize the importance of:
Slide 17
PDCA
► Plan, Do, Check, Act is to be applied to structure all ISMS processes
Slide 18
PDCA
► The continuous change of the company, technology and society
requires a process of continuously evaluating the effectiveness and
efficiency of all security controls and adopting the security system to
changing requirements.
► This results in a control loop known as PDCA model:
Slide 19
Compatibility with other management systems
► ISO 27001 is aligned with ISO 9001:2000 and ISO 14001:2004 in order
to support consistent and integrated implementation and operation
with related management standards.
► ISO 27001 illustrates the relationship between its requirements, ISO
9001:2000 and ISO 14001:2004.
► This International Standard is designed to enable an organization to
align or integrate its ISMS with related management system
requirements.
….
Slide 20
Compliance to ISO/IEC 27001
Slide 21
Process Flow for Information Security
Scope of ISMS
Step 2 Define the scope of ISMS
Information Assets
Step 3
Threats, Vulnerabilities, Undertake risk Risk assessment
Impacts assessment
Slide 22
Implementation of an ISMS - Plan
Slide 23
Implementation of an ISMS - Do
Slide 24
Implementation of an ISMS - Check
Slide 25
Implementation of an ISMS - Act
Slide 26
Section 3
Control objectives and Controls
Slide 27
“The only system which is truly secure is one which is
switched off and unplugged, locked in a titanium lined
safe, buried in a concrete bunker, and is surrounded by
nerve gas and very highly paid armed guards. Even
then, I wouldn’t stake my life on it.”
Gene Spafford
Director, Computer Operations, audit, and Security
Technology (COAST - Computer Operations, Audit and
Security Technology)
Purdue University
Slide 28
Purpose of controls in ISO/IEC 27002/27001
Slide 29
ISO 27002 domains
► Security Policy
► Asset management
► Access Control
► Compliance
Slide 30
Selection of Controls
Slide 31
Choice of controls
► Controls considered to be essential to an organization from a
legislative point of view include:
• intellectual property rights (see 15.1.2)
Slide 32
Section 4
Differences with Other Standards
ITIL, ISO 20000, Cobit
Slide 33
Definitions
COBIT
Cobit stands for Control Objective over Information and Related Technology.
Cobit issued by ISACA (Information System Control Standard) a non profit
organization for IT Governance. The Cobit main function is to help the
company, mapping their IT process to ISACA best practices standard. Cobit
usually choosen by the company who performing information system audit,
whether related to financial audit or general IT audit.
ITIL
ITIL stands for Information Technology Library. ITIL issued by OGC, is a set of
framework for managing IT Service Level. Although ITIL is quite similar with
COBIT in many ways, but the basic difference is Cobit set the standard by
seeing the process based and risk, and in the other hand ITIL set the
standard from basic IT service.
Slide 34
Comparison
ISO27001
Slide 35
Slide 36
Q&A
Slide 37
Mahmood.Justanieah@bureauveritas.com
Slide 38