Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC 27001 2016 - Semester 1
Lecture Outline Introduction Brief history Organisation interaction with standards Compliance Certification Accreditation ISMS framework Why use ISO 27001? Phases to develop ISMS Other standards “Some” ISO statistics
Introduction This chapter is about development of Information Security Management System (ISMS). An ISMS is an information assurance framework adapted to manage information system (IS) based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain and improve IS. ISO/IEC 27001 is an international standard for IS that focuses on an organizational’s ISMS. Any IS activity should be planed, implemented and maintained within the ISMS framework.
Introduction (cont.) ISMS will ensure the right controls are developed to provide adequate IS that will satisfy all specifications required by users, customers and partners. The obtaining of certification to ISO/IEC 27001 is a strong demonstration of an organisations’ commitment to effective IS management. Implementing an ISMS provide assurance that security concerns are being addressed in accordance with currently accepted best practices. ISO 27001 presents the requirements to develop and maintain an ISMS.
Brief history ISO/IEC 27001 was developed in October 2005 and reviewed in 2013. The major components that were reviewed places more emphasis on measuring and evaluating how well an organization's ISMS is performing. ISO => International Organisation for Standardization 1947, Geneva, Switzerland IEC => International Electrotechnical Commission 1906, Geneva, Switzerland There were earlier standards such as the ISO 17799 (2000), where the ISO 27001 was derived from.
How organizations interact with the standards Compliance The organisation voluntarily conducts to verify whether its ISMS complies with the standard. Certification Awarded by an accredited certification body when an organisation successfully completes an independent audit that certify the organization's ISMS, that it meets the requirements of a specific standard. For example ISO 27001. Certification to ISO 27001 of the organization’s ISMS is a valuable step.
How organizations interact with the standards Certification (cont.) It makes a clear statement to customers, suppliers, partners and authorities that the organisation has a secure information management security. A certificate is actually valid for 3 years.
How organizations interact with the standards Accreditation Effort by which an authorized body officially grants the authority to a certification body to evaluate, certify and register an organization’s ISMS.
General ISMS Framework ISO/IEC 27001 proposes 6 steps for building an ISMS: The scope of the ISMS ISMS security policy Identification of a symmetric risk assessment methodology. Risk assessment based on the ISMS scope Risk management Preparation of a statement of applicability.
General ISMS Framework Scope of the ISMS: Can be defined in terms of the organisations as a whole, part of the organization, covering the relevant data resources, services, technology networks. Clearly defines the boundaries Can cover the entire organisation, a specific CE or one or more of its IS. Main factors that can affect the scope decisions: Time constraints Budget constraints Local/national laws and regulations Contractual obligations.
General ISMS Framework Security policy: Sensitivity classifications of assets Specify maximum accepted security levels. Statement of applicability: For every security control included in the security program, the statement of applicability should show that: It is supported by the security policy It is feasible It produces mitigation of risk It ensures there is a continual improvement of company’s risk position.
General ISMS Framework When business activities change, their management requirement change. Any change in any component of the CE, will require reevaluation of the ISMS model.
Why is ISO 27001 good for your company? To comply with legal requirements Achieve marketing advantage Lower costs Better organisation Easier to obtain funding and resources for IS team and security objectives.
Iterative approach to manage an ISMS process
The four phases used to develop an ISMS
The four phases used to develop an ISMS Establish the ISMS Implement & Operate the ISMS
The four phases used to develop an ISMS Monitor & Review the ISMS Maintain & Improve the ISMS
Other standards being developed in the 27000 family are: 27003 – implementation guidance. 27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS. 27005 – an information security risk management standard. (Published in 2008) 27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007) 27007 – ISMS auditing guideline. ISO 27018 – International Cloud Privacy Standard (2014) ISO 22301 defines the requirements for business continuity management systems ISO 9001 defines the requirements for quality management systems.
The number of ISO/IEC 27001 certificates is growing steadily year-on-year: Source: The ISO Survey of Management System Standard Certifications
Source: http://www.iso27001security.com/html/27001.html The number of ISO/IEC 27001 certificates is growing steadily year-on-year: Source: http://www.iso27001security.com/html/27001.html
The number of ISO/IEC 27001 certificates by location Source: http://www.iso27001security.com/html/27001.html
Homework Access the link below to view data collected during ISO Survey, 2014 www.iso.org/iso/iso-survey_2014.zip End