What Is ISO 27001 ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS7799-2. It is intended to provide the foundation for third party audit, and is 'harmonized' with other management standards, such as ISO 9001 and ISO 14001

Control systematically and consistently throughout the organizations What is ISO 27001 A standard against which organizations may seek independent certification of their Information Security Management Systems To design, implement, manage, maintain and enforce information security processes Control systematically and consistently throughout the organizations

What ISO 27001 means to Security Management Reassure Customers,Suppliers & all Concerned that information security is taken seriously within the organization The Standard has in place recognized processes to deal with information security threats and issues.

In October 2005, British Standard BS 7799 part 2 was adopted by ISO Evolution In October 2005, British Standard BS 7799 part 2 was adopted by ISO Subsequently it was re- badged and released as the new international information security standard ISO/IEC 27001:2005

Objective To help establish and maintain an effective information management system Continual improvement of the System To implement principles, governing security of information and network systems. To provide best practice guidance on protecting the confidentiality, integrity and availability of the information on which we all depend - information such as Military Data, our bank accounts, indeed even the very words you are reading right now

Application Military Data Bank accounts Resources Management Annual Confidential Reports University/Colleges/Schools Competitive Examinations Corporates Strategic Plans

suitable for types of use within organization To formulate security requirements and objectives To ensure that security risks are cost-effectively managed To ensure compliance with laws and regulations To ensure that the specific security objectives of an organization are met

Specific Requirements It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall risk management processes. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

Suitability for use Contd To Identify and clarify existing information security management processes To determine the status of information security management activities To demonstrate security policies, directives and standards To determine the degree of compliance with those policies, directives and standards To provide relevant information about security policies, directives, standards and procedures to partners and other organizations To provide relevant information about information security to customers.

Controls specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. The standard provides a model for adequate and proportionate security controls to protect information assets and give confidence to interested parties. It details hundreds of specific controls which may be applied to secure information and related assets.

Continual improvement ISMS Security Officer/Management responsibility End Users In Flow of Information Review Security Resource Satisfaction Security Area/Data Bank/Security Barrier Calculated doses of Information Customer and Legislative/Regulatory Requirements Input Output Key Value-adding activities Information flow ISMS Model

6 stage process and pdca approach. ISO 27001 (formerly The standard defines a 6 stage process and describes the pdca approach. IO 27001 (formerly BS7799) describes a 6 stage process Define an information security policy Define scope of the information security management system Perform a security risk assessment Manage the identified risk Select controls to be implemented and applied 6) Prepare an a "statement of applicability").

Process for Implementation Define an information security policy Define scope of the information security management system Perform a security risk assessment Manage the identified risk Select controls to be implemented and applied Prepare an SoA (a "statement of applicability").  

Is standard harmonized with other standards The standard provides a specification for ISMS and the foundation for third-party audit and certification. It is harmonized to work with other management system standards such as ISO 9001 and ISO 14001 It implements the Plan-Do-Check-Act (PDCA) model It reflects the principles of the 2002 OECD guidance on the security of information systems and networks

Holistic, risked-based approach to security, privacy and compliance Benefits Holistic, risked-based approach to security, privacy and compliance Provides a common framework for addressing legislative, regulatory and contractual compliance - Corporate Governance Demonstrates credibility, creates trust, improves satisfaction and confidence of stakeholders, partners, citizens and customers Demonstrates information security capability according to internationally accepted best practices

Benefits Contd Creates market differentiation due to prestige, image and external goodwill Reduces liability risk; demonstrates due diligence; lowers rates on cyber risk insurance premiums Demonstrates Certifiable, Proven, Defensible, Cost-Effective, Recognition of Best Practices Demonstrates due diligence by maintaining certification through semi-annual 3rd Party surveillance visits

Reduced cost and business disruption from client risk assessments Benefits Contd Reduced cost and business disruption from client risk assessments Assures policies & procedures are in accordance with internationally recognized criteria, structure and methodology Provides your organization with a continuous protection framework that allows for a flexible, effective, and defensible approach to security and privacy