Presentation is loading. Please wait.

Presentation is loading. Please wait.

Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC 27001 2016 - Semester 1.

Similar presentations


Presentation on theme: "Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC 27001 2016 - Semester 1."— Presentation transcript:

1 Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC 27001
Semester 1

2 Lecture Outline Introduction Brief history
Organisation interaction with standards Compliance Certification Accreditation ISMS framework Why use ISO 27001? Phases to develop ISMS Other standards “Some” ISO statistics

3 Introduction This chapter is about development of Information Security Management System (ISMS). An ISMS is an information assurance framework adapted to manage information system (IS) based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain and improve IS. ISO/IEC is an international standard for IS that focuses on an organizational’s ISMS. Any IS activity should be planed, implemented and maintained within the ISMS framework.

4 Introduction (cont.) ISMS will ensure the right controls are developed to provide adequate IS that will satisfy all specifications required by users, customers and partners. The obtaining of certification to ISO/IEC is a strong demonstration of an organisations’ commitment to effective IS management. Implementing an ISMS provide assurance that security concerns are being addressed in accordance with currently accepted best practices. ISO presents the requirements to develop and maintain an ISMS.

5 Brief history ISO/IEC was developed in October 2005 and reviewed in 2013. The major components that were reviewed places more emphasis on measuring and evaluating how well an organization's ISMS is performing. ISO => International Organisation for Standardization 1947, Geneva, Switzerland IEC => International Electrotechnical Commission 1906, Geneva, Switzerland There were earlier standards such as the ISO (2000), where the ISO was derived from.

6 How organizations interact with the standards
Compliance The organisation voluntarily conducts to verify whether its ISMS complies with the standard. Certification Awarded by an accredited certification body when an organisation successfully completes an independent audit that certify the organization's ISMS, that it meets the requirements of a specific standard. For example ISO Certification to ISO of the organization’s ISMS is a valuable step.

7 How organizations interact with the standards
Certification (cont.) It makes a clear statement to customers, suppliers, partners and authorities that the organisation has a secure information management security. A certificate is actually valid for 3 years.

8 How organizations interact with the standards
Accreditation Effort by which an authorized body officially grants the authority to a certification body to evaluate, certify and register an organization’s ISMS.

9 General ISMS Framework
ISO/IEC proposes 6 steps for building an ISMS: The scope of the ISMS ISMS security policy Identification of a symmetric risk assessment methodology. Risk assessment based on the ISMS scope Risk management Preparation of a statement of applicability.

10 General ISMS Framework
Scope of the ISMS: Can be defined in terms of the organisations as a whole, part of the organization, covering the relevant data resources, services, technology networks. Clearly defines the boundaries Can cover the entire organisation, a specific CE or one or more of its IS. Main factors that can affect the scope decisions: Time constraints Budget constraints Local/national laws and regulations Contractual obligations.

11 General ISMS Framework
Security policy: Sensitivity classifications of assets Specify maximum accepted security levels. Statement of applicability: For every security control included in the security program, the statement of applicability should show that: It is supported by the security policy It is feasible It produces mitigation of risk It ensures there is a continual improvement of company’s risk position.

12 General ISMS Framework
When business activities change, their management requirement change. Any change in any component of the CE, will require reevaluation of the ISMS model.

13 Why is ISO 27001 good for your company?
To comply with legal requirements Achieve marketing advantage Lower costs Better organisation Easier to obtain funding and resources for IS team and security objectives.

14 Iterative approach to manage an ISMS process

15 The four phases used to develop an ISMS

16 The four phases used to develop an ISMS
Establish the ISMS Implement & Operate the ISMS

17 The four phases used to develop an ISMS
Monitor & Review the ISMS Maintain & Improve the ISMS

18 Other standards being developed in the 27000 family are:
27003 – implementation guidance. an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS. 27005 – an information security risk management standard. (Published in 2008) a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007) 27007 – ISMS auditing guideline. ISO – International Cloud Privacy Standard (2014) ISO defines the requirements for business continuity management systems ISO 9001 defines the requirements for quality management systems.

19 The number of ISO/IEC 27001 certificates is growing steadily year-on-year:
Source: The ISO Survey of Management System Standard Certifications

20 Source: http://www.iso27001security.com/html/27001.html
The number of ISO/IEC certificates is growing steadily year-on-year: Source:

21 The number of ISO/IEC 27001 certificates by location
Source:

22 Homework Access the link below to view data collected during ISO Survey, 2014 End


Download ppt "Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC 27001 2016 - Semester 1."

Similar presentations


Ads by Google