Presentation on theme: "Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005."— Presentation transcript:
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005
October 19, Speaker Curt Dalton, CISSP, CISM, ISMS Lead Auditor/Implementer Commonwealth ITD Security Office, Program Manager of the Enterprise Security Plan: – EO504 Adoption – ISO Adoption – IT Security Governance – Security Architecture Improvements
October 19, ISO 27001:2005 Topics What is ISO 27001:2005? What are its Components? What are its Origins & Purpose? How is it Implemented? Steps to Certification (optional) Summary Statement Contact Information
October 19, What is ISO 27001:2005? Establish ISMS Context & Risk Assessment Monitor & Review ISMS Design and Implement ISMS Maintain & Improve ISMS Interested Parties Enterprise Security Architecture Requirements Business Strategy Interested Parties Established ISMS Qualitative ROI Regulatory / Legislative Compliance Development, Maintenance, And Improvement Cycle Do (Design and Implement the ISMS) Implement and operate the security policy, controls, processes and procedures. Check (Monitor & Review the ISMS) Assess results of detective controls to measure performance and effectiveness. Act (Maintain and Improve the ISMS) Take corrective and preventative actions, based on the results of the performance and effectiveness metrics to achieve continual improvement of the ISMS. Plan Check Act Do Plan (Establish the ISMS Scope & Conduct the Risk Assessment) Establish security policy, objectives, targets, processes and procedures relevant to managing risk to information assets and improving information security to deliver results in accordance with an organization’s accordance with an organization overall policies
October 19, Form & Function of ISO 27001: Control Objectives 133 Controls Satisfies Objectives 11 Domains Specifies Requirements
October 19, Major Components of ISO 27001:2005 ISO/IEC 27001: Scope 2. Normative References 3. Terms & Definitions 4. Information security management system 4.1 General requirements 4.2 Establishing and managing ISMS 4.3 Documentation requirements Control of documents Control of records 5. Management responsibility 5.1 Management commitment 5.2 Resource management 6. Internal ISMS audits 7. Management review of the ISMS 8. ISMS improvement 8.1 Continual improvement 8.2 Corrective actions 8.3 Preventive actions Annex A, B & C
October 19, Expanded view of Annex A (11 domains) ISO/IEC 27001:2005 A.5 Security Policy A.6 Organization of Information Security A.7 Asset Management A.8 Human Resources Security A.9 Physical & Environmental Security A.10 Communications & Operations Management A.11 Access Control A.12 Information Systems Acquisition, development and maintenance A.13 Information Security Incident Management A.14 Business Continuity Management A.15 Compliance
October 19, Origins of the 27001:2005 Standard ISO/IEC 27002:2005 (formerly ISO 17799) A Code of practice for information security management with implementation advice. Provides comprehensive implementation advice on the 133 security controls found in ISO/IEC 27001:2005 Provides a framework for a risk based security management system that can be independently certified ISO/IEC 27001:2005 (circa 2005) ISO Derived from BS7799 (circa 1999). Defines security requirements for certification to the Standard.
October 19, ISO Family (Information Security) ISO ISO ISO ISO Risk Management ISMS Implementation & Improvement Guidance (proposed) ISMS Certification Standard (requirements) ISMS Code of Practice (implementation guidance)
October 19, How to Implement ISO 27001:2005 Internal Audit Ongoing Improvement Training and Awareness Documentation Management Risk Treatment Plan Risk Assessment Identification of Assets ISMS Scope Definition Establish Project Team Establish the ISMS Implement & Operate the ISMS Monitor & Review the ISMS Maintain & Improve the ISMS Apply for Certification Initial Building Blocks
October 19, Steps to Certification (optional!) Bi-annual/annual Surveillance Visits Certification Recommendation Stage 2 Audit Stage 1 Audit Conduct Pre-assessment (Optional) BSI Assessment Team Appointed Complete an Application Develop Quotation Inquire to Registrar (BSI) 1. Provide information about your business and ISMS 2. Detailing all costs involved 3. Sign contract 4. Assessors have industry experience 5. A “dry run” assessment, helps identify gaps 7. Detailed review of the system in action 8. Confirmation of certification and delivery of certificate (or denial!) 9. Partial audit every 6 months or every year 6. Documentation review & high level walk through
October 19, Summary Statement One statement can sum up the main goal of the ISO framework: Reduce the likelihood of human error by replacing ad hoc procedures with repeatable processes.
October 19, Questions? Contact Information: Curt Dalton ITD Security Office, Commonwealth of Massachusetts Program Manager, Enterprise Security Plan Office: (617) Personal