1. Information Security Management
standards and models
Information Security Management

2. Information Security Management Systems

3. SYSTEM
A set of things working together as parts of a mechanism or an interconnecting network

4. International Organization for Standardization
ISO is based in Geneva, Switzerland (
Founded in 1947
146 member nations
1 member per country (represented through national standards organization – ANSI, DIN, SABS, etc)
13700 standards, 3000 technical bodies, experts

5. International Organization for Standardization
NGO – unlike UN
Delegates not national governments
May be mandated by government
Roots in private sector and industry associations
All ISO standards are based on consensus
ISO’s work involves all relevant stakeholders and includes experts from: industry and commerce, government, consumers, labour, academia, standards applications, NGO’s.

6. International Organization for Standardization
ISO is the world's largest developer of standards.
"International Organization for Standardization“ would have different abbreviations in different languages ("IOS" in English, "OIN" in French), it was decided at the outset to use a word derived from the Greek ISOS, meaning "equal".
Therefore, whatever the country, whatever the language, the short form of the organization's name is always ISO.

7. International Organization for Standardization
Full members (or member bodies) influence ISO standards development and strategy by participating and voting in ISO technical and policy meetings. Full members sell and adopt ISO International Standards nationally.
Correspondent members observe the development of ISO standards and strategy by attending ISO technical and policy meetings as observers. Correspondent members can sell and adopt ISO International Standards nationally.
Subscriber members keep up to date on ISO’s work but cannot participate in it. They do not sell or adopt ISO International Standards nationally.

8. The ISO system IT tools Standards development proceduresAt
June
2007
The ISO system
156 national members
Consensus at two levels:
Amongst global experts
Amongst countries through ISO members
Catalogue of more than published standards
IT tools
Standards development procedures
Consensus building
Dissemination
685 active Committees
3 000 technical bodies
experts
Central Secrétariat in Geneva
150 staff

9. Some Types of ISO
ISO 9000 :  family addresses various aspects of quality management and contains some of ISO’s best known standards.
ISO :  is a series of environmental management standards
ISO : Automotive Quality Management
ISO (27002) :  is a code of practice for information security
OHSAS : is an international occupational health and safety management system specification.

10. The ISO contribution to conformity assessment
World Standards Cooperation (WSC) - leading international standards bodies
Collaborate to meet the challenges of converging technologies
Use of common conformity assessment standards
Multi-discipline and cross-sector, including conformity assessment
For electrotechnology
For telecommunications

11. What is ISO/IEC 17799?
NOT IT Security
Its about
Information Security
A risk based approach for defining policy & procedures & selection of appropriate controls to manage risk
Its a standard on best practice for information security management

12. History and Development of ISMS
September 2002
Updated version of BS
(revised and corrected)
2001
Review of BS
December 2000
ISO/IEC 17799:2000
Goal and background for BS7799 (development is going fast)
Background
Original work done in early ‘90s.
1993 publication of the original PD0005 Code of Practice, the predecessor to part 1 before its formal approval by BSI.
BS7799 “A Code of Practice for Information Security Management” was developed as a result of industry, government and commerce demand for a common framework to enable companies to develop, implement and measure effective security management practice and to provide confidence in inter-company trading. BS7799, part 1, was based on the best current information security practice of leading British and international businesses at the time of its development adopted as BS 7799 Code of Practice.
establishment of demand for certification and early unaccredited certifications by certification companies.
1997 failed ISO fast track (“Not invented here” and too technical)
1998 publication of part 2 and renaming of code as part 1.
BS7799 : 1999, Part 1 - revised recommendations
BS7799 : 1999, Part 2 - revised certification requirements
ISO/IEC BS 7799 part 1 was published as an ISO standard in December
Goal
Easy to understand
No dependency on technology
Best practice
Not just IT
Market driven development
Sep 2002: The Standard is republished with harmonisation with ISO9000 and ISO 14000
1999
Swedish standards SS Parts 1 and 2
Updated version of BS 7799 Parts 1 and 2
1998
BS 7799 :2
1995
BS 7799 :1

13. WG1 managing 1st revision due 200x
Some ISO/IEC History
WG1 managing 1st revision due 200x
ISO/IEC 17799: 2000
BS 7799:1: 1999
BS 7799:1: 1995

14. BS7799 or ISO 17799 ? .
ISO (part 1) is a guide containing controls and recommendations by which an organization can ensure the security of its information.
BS 7799 (part 2) proposes measures for an efficient information security management framework. BS helps an organization establish an information security management system (ISMS) and thus prepare for the audit.

15. Who’s it for ?
BS 7799/ISO can be used by any organization or company. If your organization uses computer systems, possesses confidential data, depends upon information systems in the context of its business activities, or simply wants to adopt a high level of security while complying with a standard, BS 7799/ISO is the solution.

16. The purpose of BS 7799
The purpose of BS 7799 is to assure the confidentiality, integrity and availability of information assets for you but more importantly, your customers.
Assurance is attained through controls that management creates and maintains within the organization. To do this BS 7799 defines a process that on completion provides the basis for the whole of the Information Security Management System.

17. The purpose of BS 7799 The key factors of this process are as follows:
Define a security policy
Define the scope of the ISMS
Undertake a risk assessment
Manage the risk
Select control objectives and controls to be implemented
Prepare a statement of applicability.

19. ISO17799   BS17799
ISO 17799:2000
Code of Practice For Information Security Management
Best practices framework
From 7.2.1, Equipment siting and protection: Equipment should be sited or protected to reduce the risks from environmental threats….
BS :2002
Information Security Management Systems Specification With Guidance For Use
Auditing specification
From 7.2.1, Equipment shall be sited or protected….
ISO has begun the study period of BS :2002 towards adoption

20. The Ten Key Contexts of BS7799
The ten key controls identified
by BS 7799 for the implementation
of a successful information
security program are:
Security policy
Compliance
Organizational
security
Business continuity
management
Asset classification
and control
Integrity
Confidentiality
Information
Systems
development &
maintenance
Personnel security
Availability
The degree of assurance required is attained through controls that management creates and maintains
within the organization.
Access control
Physical and
environmental
security
Communications
and operations
management

21. BS:7799 part 1 10 Areas: To have and to hold
Security policy: Adopting a security process that outlines an organization's expectations for security, which can then demonstrate management's support and commitment to security.
Provide guidelines and management advice for improving information security.
Security organization: Having a management structure for security, including appointing security coordinators, delegating security management responsibilities and establishing a security incident response process.
Facilitate information security management within the organization.

22. 10 Areas: To have and to hold
Asset classification and control: Conducting a detailed assessment and inventory of an organization's information infrastructure and information assets to determine an appropriate level of security.
Carry out an inventory of assets and protect these assets effectively.
Personnel security: Making security a key component of the human resources and business operations. This includes writing security expectations in job responsibilities (IT admins and end users), screening new personnel for criminal histories, using confidentiality agreements when dealing with sensitive information and having a reporting process for security incidents.
Minimize the risks of human error, theft, fraud or the abusive use of equipment.

23. 10 Areas: To have and to hold
Physical and environmental security: Establishing a policy that protects the IT infrastructure, physical plant and employees. This includes controlling building access, having backup power supplies, performing routine equipment maintenance and securing off-site equipment.
Prevent the violation, deterioration or disruption of industrial facilities and data.
Communications and operations management: Preventing security incidents by implementing preventive measures, such as using antivirus protection, maintaining and monitoring logs, securing remote connections and having incident response procedures.
Ensure the adequate and reliable operation of information processing devices.

24. 10 Areas: To have and to hold
Access control: Protecting against internal abuses and external intrusions by controlling access to network and application resources through such measures as password management, authentication and event logging.
Control access to information.
Systems development and maintenance: Ensuring that security is an integral part of any network deployment or expansion, and that existing systems are properly maintained.
Ensure that security is incorporated into information systems.

25. 10 Areas: To have and to hold
Business continuity management: Planning for disasters--natural and man-made--and recovering from them.
Minimize the impact of business interruptions and protect the company’s essential processes from failure and major disasters.
Compliance: Complying with any applicable regulatory and legal requirements.
Avoid any breach of criminal or civil law, of statutory or contractual requirements, and of security requirements.

26. The Ten Key Contexts of BS7799
Organizational
1. Security policy
2. Organizational security
3. Asset classification and control
7. Access control
10. Compliance
4. Personnel security
5. Physical and environmental security
8. Systems development and maintenance
6. Communications and operations management
9. Business continuity management
Operational

27. ISO N
ISO/IEC 27001:2005, Information security management systems — Requirements نيازمندي ها
ISO/IEC 27002:2005, Code of practice for information security management آئين نامه كاري مديريت امنيت اطلاعات
ISO/IEC 27003, Information security management system implementation guidance راهنماي پياده سازي سيستم مديريت امنيت اطلاعات
ISO/IEC 27004, Information security management — Measurement مديريت امنيت اطلاعات - سنجش
ISO/IEC 27005, Information security risk management مديريت مخاطرات امنيت اطلاعات
ISO/IEC 27006, Requirements for bodies providing audit and certification of information security management systems راهنماي مميزي سيستم هاي مديريت امنيت اطلاعات

28. Is it ISO or just BS?
ISO (the International Organization for Standardization) and IEC (the International ElectroTechnical Commission) form the specialized system for worldwide standardization.
National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest.

29. Information Security Management
Section 3 : ISO 27001
Information Security Management

30. Is it ISO or just BS?
In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
The main task of the joint technical committee is to prepare International Standards.
Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75% of the national bodies casting a vote.

31. General points- Goals:
This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).

32. General points- Goals:
The adoption of an ISMS should be a strategic decision for an organization.
The design and implementation of an organization’s ISMS is influenced by their needs objectives, security requirements, the processes employed and the and size and structure of the organization.

33. Process Approach
This International Standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's ISMS.
Any activity using resources and managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often the output from one process directly forms the input to the next process .

34. Process Approach
The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as a “process approach”.

35. Process Approach
The process approach for information security management presented in this International Standard encourages its users to emphasize the importance of:
a) understanding an organization’s information security requirements and the need to establish policy and objectives for information security;
b) Implementing and operating controls to manage an organization's information security risks in the context of the organization’s overall business risks ;
c) monitoring and reviewing the performance and effectiveness of the ISMS;
d) continual improvement based on objective measurement.

36. PDCA model
This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure all ISMS processes.

37. Plan Act Do Check Interested Parties Interested Parties
Development,
maintenance and
improvement
cycle
Interested Parties
Plan
Establish the ISMS Do
Act
Implement and operate the ISMS
Maintain and improve the ISMS
Check
Information security requirements and expectations
Monitor and review the ISMS
Managed information security
BS ISO/IEC 27001:2005

38. PDCA Model Applied to ISMS
Plan (establish the ISMS)
Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.
Do (implement and operate the ISMS)
Implement and operate the ISMS policy, controls, processes and procedures.
Check (monitor and review the ISMS)
Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.
Act (maintain and improve the ISMS)
Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.

39. ISMS: General requirements:
The organization shall establish, implement, operate, monitor, review, maintain and improve a documented ISMS within the context of the organization’s overall business activities and the risks it faces.
For the purposes of this International Standard the process used is based on the PDCA model.

40. Establishing the ISMS
Define the scope and boundaries of the ISMS (in terms of characteristic of the business, location, assets, technology, …)
Define an ISMS policy (in terms of characteristic of the business, location, assets, technology, …) that:
includes a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security;
takes into account business and legal or regulatory requirements, and contractual security obligations;
aligns with the organization’s strategic risk management context in which the establishment and maintenance of the ISMS will take place;
establishes criteria against which risk will be evaluated
has been approved by management.

41. RISK ASSESSMENT: overall process of risk analysis and risk evaluation
Establishing the ISMS
Define the risk assessment approach of the organization
Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements.
Develop criteria for accepting risks and identify the acceptable levels of risk.
RISK ASSESSMENT: overall process of risk analysis and risk evaluation
Identify the risks
Identify the assets within the scope of the ISMS, and the owners of these assets.
Identify the threats to those assets.
Identify the vulnerabilities that might be exploited by the threats.
Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.

42. Establishing the ISMS Analyze and evaluate the risks
Assess the business impacts upon the organization that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets.
Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented.
Estimate the levels of risks.
Determine whether the risks are acceptable or require treatment

43. Establishing the ISMS
Identify and evaluate options for the treatment of risks
applying appropriate controls;
knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies and the criteria for accepting risks;
avoiding risks;
transferring the associated business risks to other parties, e.g. insurers, suppliers
RISK TREATMENT: process of selection and implementation of measures to modify risk

44. Establishing the ISMS
Select control objectives and controls for the treatment of risks.
Control objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks as well as legal, regulatory and contractual requirements.
The control objectives and controls shall be selected as part of this process as suitable to cover the identified requirements.

45. Establishing the ISMS
Obtain management approval of the proposed residual risks
Obtain management authorization to implement and operate the ISMS
Prepare a Statement of Applicability
the control objectives and controls selected and the reasons for their selection;
the control objectives and controls currently implemented;
the exclusion of any control objectives and controls justification for their exclusion.
SOA: documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS.

46. Implement & operate the ISMS
Formulate a risk treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks.
Implement the risk treatment plan in order to achieve the identified control objectives, which includes consideration of funding and allocation of roles and responsibilities.
Implement selected controls to meet the control objectives.

47. Implement & operate the ISMS
Define how to measure the effectiveness of the selected controls or groups of controls and specify how these measurements are to be used to assess control effectiveness to produce comparable and reproducible results.
Implement training and awareness programs
Manage operation of the ISMS.
Manage resources for the ISMS
Implement procedures and other controls capable of enabling prompt detection of security events and response to security incidents.

48. Monitor & Review the ISMS
Execute monitoring and reviewing procedures and other controls to:
promptly detect errors in the results of processing;
promptly identify attempted and successful security breaches and incidents;
enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected;
help detect security events and thereby prevent security incidents by the use of indicators; and
determine whether the actions taken to resolve a breach of security were effective.

49. Monitor & Review the ISMS
Undertake regular reviews of the effectiveness of the ISMS (including meeting ISMS policy and objectives, and review of security controls)
Measure the effectiveness of controls to verify that security requirements have been met.

50. Monitor & Review the ISMS
Review risk assessments at planned intervals and review the residual risks and the identified acceptable levels of risks, taking into account changes to:
the organization;
technology;
business objectives and processes;
identified threats;
effectiveness of the implemented controls; and
external events, such as changes to the legal or regulatory environment, changed contractual obligations, and changes in social climate.

51. Monitor & Review the ISMS
Conduct internal ISMS audits at planned intervals
Undertake a management review of the ISMS on a regular basis to ensure that the scope remains adequate and improvements in the ISMS process are identified.
Update security plans to take into account the findings of monitoring and reviewing activities.
Record actions and events that could have an impact on the effectiveness or performance of the ISMS.

52. Maintain & Improve the ISMS
Implement the identified improvements in the SMS.
Take appropriate corrective and preventive actions. Apply the lessons learnt from the security experiences of other organizations and those of the organization itself.
Communicate the actions and improvements to all interested parties with a level of detail appropriate to the circumstances and, as relevant, agree on how to proceed.
Ensure that the improvements achieve their intended objectives.

53. Apendix…

54. Document Requirements
Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and ensure that the recorded results are reproducible.

55. The ISMS documentation shall include:
documented statements of the ISMS policy and objective;
the scope of the ISMS ;
procedures and controls in support of the ISMS;
a description of the risk assessment methodology ;
the risk assessment report;
the risk treatment plan;
documented procedures needed by the organization to ensure the effective planning, operation and control of its information security processes and describe how to measure the effectiveness of controls ;
records required by this International Standard
the Statement of Applicability.

56. Control of documents
Documents required by the ISMS shall be protected and controlled. A documented procedure shall be established to define the management actions needed to:
approve documents for adequacy prior to issue;
review and update documents as necessary and reapprove documents;
ensure that changes and the current revision status of documents are identified;
ensure that relevant versions of applicable documents are available at points of use;
ensure that documents remain legible and readily identifiable;
ensure that documents are available to those who need them;
ensure that documents of external origin are identified;
ensure that the distribution of documents is controlled;
prevent the unintended use of obsolete documents;
apply suitable identification to them if they are retained for any purpose.

57. Management responsibility
establishing an ISMS policy;
ensuring that ISMS objectives and plans are established;
establishing roles and responsibilities for information security;
providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS;
deciding the criteria for accepting risks and the acceptable levels of risk;
ensuring that internal ISMS audits are conducted
conducting management reviews of the ISMS

58. Resource managements Provisions of resources
1- establish, implement, operate, monitor, review, maintain and improve an ISMS;
2- ensure that information security procedures support the business requirements;
3- identify and address legal and regulatory requirements and contractual security obligations;
4- maintain adequate security by correct application of all implemented controls;
5- carry out reviews when necessary, and to react appropriately to the results of these reviews; and
6- where required, improve the effectiveness of the ISMS.
Training, awareness and competence

59. Resource managements Training, awareness and competence
1- determining the necessary competencies for personnel performing work effecting the ISMS;
2- providing training or taking other actions (e.g. employing competent personnel) to satisfy these needs;
3- evaluating the effectiveness of the actions taken;
4- maintaining records of education, training, skills, experience and qualifications.

60. Management review of the ISMS Review input
results of ISMS audits and reviews;
feedback from interested parties;
techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness;
status of preventive and corrective actions;
vulnerabilities or threats not adequately addressed in the previous risk assessment;
results from effectiveness measurements;
follow-up actions from previous management reviews;
any changes that could affect the ISMS; and
recommendations for improvement.

61. Management review of the ISMS Review output
Improvement of the effectiveness of the ISMS.
Update of the risk assessment and risk treatment plan.
Modification of procedures and controls that effect information security, as necessary, to respond to
internal or external events that may impact on the ISMS
Resource needs.
Improvement to how the effectiveness of controls is being measured.

62. ISMS Improvement Corrective action
identifying nonconformities;
determining the causes of nonconformities;
evaluating the need for actions to ensure that nonconformities do not recur;
determining and implementing the corrective action needed;
recording results of action taken;
reviewing of corrective action taken.

63. ISMS Improvement Preventive action
identifying potential nonconformities and their causes;
evaluating the need for action to prevent occurrence of nonconformities;
determining and implementing preventive action needed;
recording results of action taken;
reviewing of preventive action taken.