Presentation is loading. Please wait.

Presentation is loading. Please wait.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Similar presentations


Presentation on theme: "International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005."— Presentation transcript:

1 International Security Management Standards

2 BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005 ISO/IEC 17799 takes the form of guidance notes and recommendations, which has been produced following consultation with leading companies. ISO/IEC 27001:2005 provides requirements for Information Security Management and is relevant to those responsible for initiating, implementing or maintaining security in their organization.

3 Organizations  ISO – International Organization for Standardization  IEC – International electrotechnical Commission  BSI – British Standards Institute

4 BS7799-Part2:2002  BS 7799:Part 2 has been updated and was released as ISO/IEC 27001:2005 on October 15th 2005.  The new international version of the standard clarifies and strengthens the requirements of the original British standard, and includes changes to the following areas:  risk assessment,  contractual obligations,  scope,  management decisions,  measuring the effectiveness of selected controls.

5 Corporate Information Security Policy Information Security Management Policies / Standards framework Education & awareness people Existing Processes Processes Technical Control Technology Information Security Risk Information Security Management System - Key Principles based on BS 7799

6 POLICY Establish the context - Define Information Security policy and objectives -ISMS scope and policy -Security Organization -Risk identification and assessment - Identify risks - Analyse risks - Evaluate Manage the risk - Identify and evaluate options for managing the risks - Select controls and objectives for the treatment and management of risk - Implement selected controls - Statement of applicability Monitor The Progress Create Monitoring Rules Monitor and review ISMS Improve ISMS - Identify improvements in the ISMS and implement them - Take appropriate Corrective and preventive actions - Communicate and consult (management,stakeholders, users etc.) ISMS Implementation

7 The standard for Information Security Management System (ISMS), BS 7799 (now ISO/IEC 27001:2005), has fast become one of the world's established standards for information security An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems.

8 What is an Information Security Management System (ISMS)?  An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems.

9 What is BS 7799?  BS 7799 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected.

10 BS 7799 is organized into 10 sections: 1.Security policy 2.Organization of assets and resources 3.Asset classification and control 4.Personnel security 5.Physical and environmental security 6.Communications and operations management 7. Access control 8.Systems development and maintenance 9.Business continuity management 10.Compliance

11 ISO27001:2005 The present standard has : -11 Domains -39 Control Objectives -133 Controls

12 ISO 27001:2005 The 11 domains are: 1.Security Policy 2.Organization of Information Security 3.Asset Management 4.Human Resources Security 5.Physical and Environmental Security 6.Communications and Operations Management 7.Access Control 8.Information systems acquisition, development and maintenance 9.Information security Incident Management 10.Business Continuity Management 11.Compliance

13 Domain, control obj. & controls – Example 5 Physical and Environmental Security  5.1 Secure Areas  5.1.1 Physical Security Perimeter  5.1.2 Physical Entry Controls  5.1.3 Security Offices, rooms and facilities  5.1.4 Protecting against external and environmental threats  5.1.5 Working in Secure Areas  5.1.6 Public Access, delivery and loading areas  5.2 Equipment Security 5.2.1 Equipment siting and protection 5.2.2 Supporting Utilities 5.2.3 Cabling Security 5.2.4 Equipment Maintenance 5.2.5 Security equipment off-premises 5.2.6 Secure disposal or reuse of equipment 5.2.7 Removal of property

14 Domain, control obj. & controls - Example 11 Compliance  11.1 Compliance with legal requirements 6 controls  11.2 Compliance with security standards and technical compliance - 2 controls  11.3 Information Systems Audit Considerations  2 controls

15 . Formulation of security requirements and objectives; To ensure that security risks are cost effectively managed; TTo ensure compliance with laws and regulations; As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met; IIdentification and clarification of existing information security management processes;

16  To be used by management to determine the status of information security management activities;  To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization;  To provide relevant information about information security policies, directives, standards and procedures to trading partners;  To provide relevant information about information security to customers.

17 Laws and Regulations  Regulatory requirements Establishment Organization Responsibilities Correlation to financial, operational and IT audit functions

18 Laws and Regulations  Steps to determine compliance with external requirements: Identify external requirements Document pertinent laws and regulations Assess whether management and the IS function have considered the relevant external requirements Review internal IS department documents that address adherence to applicable laws Determine adherence to established procedures

19 ISACA Standards and Guidelines for IS Auditing  ISACA IS Auditing Standards  ISACA IS Auditing Guidelines  ISACA Code of Professional Ethics

20 ISACA Standards and Guidelines for IS Auditing Objectives of ISACA IS Auditing Standards Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics

21 ISACA Standards and Guidelines for IS Auditing Framework for the ISACA’s Information Systems Auditing Standards: Standards Guidelines Procedures

22 ISACA Standards and Guidelines for IS Auditing  ISACA Standards and Guidelines for IS Auditing Audit charter Independence Professional Ethics and Standards Competence

23 ISACA Standards and Guidelines for IS Auditing ISACA Standards and Guidelines for IS Auditing Continued... Planning Performance of audit work Reporting Follow-up activities

24 Audit charter ISACA Standards and Guidelines for IS Auditing Responsibility, authority and accountability

25 ISACA Standards and Guidelines for IS Auditing Independence Professional independence Organizational relationship

26 Professional Ethics and Standards ISACA Standards and Guidelines for IS Auditing Code of Professional Ethics Due professional care

27 ISACA Standards and Guidelines for IS Auditing Competence Skills and knowledge Continuing professional education

28 ISACA Standards and Guidelines for IS Auditing Planning  Audit planning

29 ISACA Standards and Guidelines for IS Auditing Performance of audit work Supervision Evidence

30 ISACA Standards and Guidelines for IS Auditing Reporting Report content and form

31 ISACA Standards and Guidelines for IS Auditing Follow-up Activities Review previous conclusions and recommendations Review previous relevant findings Determine whether appropriate actions have been implemented in a timely basis

32 ISACA Standards and Guidelines for IS Auditing  Use of ISACA Guidelines Consider the guidelines in determining how to implement the standards Use professional judgment in applying these guidelines Be able to justify any departure


Download ppt "International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005."

Similar presentations


Ads by Google