1. © 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems

2. © 2013 Cambridge Technical CommunicatorsSlide 2 Information Security Requirements ISO 27001 specifications ISO 27002 code of practise Download from BSI website: http://17799.standardsdirect.org Information Security Forum (ISF) publish the 2007 Standard of Good Practise (SoGP)

3. © 2013 Cambridge Technical CommunicatorsSlide 3 Process A) Identify information security risks: threats, vulnerabilities and impacts B) Design/implement information security controls: risk management - risk avoidance/risk transfer C) Maintain security policy/ adopt management process

4. © 2013 Cambridge Technical CommunicatorsSlide 4 ISMS Information Security Management System Broad set of general and IT-specific policies and controls that span the organisation Include IT, HR, management, business continuity, incident management and other business functions/areas:

5. © 2013 Cambridge Technical CommunicatorsSlide 5 Examples Teleworking/home working: access to data Training staff: on information security issues and procedures Recruitment: security checks, Data retention policies: how long, where stored, how backups are made, who can assess Staff roles: security permissions, access to sensitive information Access to data by third parties and suppliers

6. © 2013 Cambridge Technical CommunicatorsSlide 6 Certification process Stage 1 - informal review of security documentation Stage 2 - formal and detailed compliance audit Stage 3 - Follow-up reviews and audits

7. © 2013 Cambridge Technical CommunicatorsSlide 7 Security Documents Security policy document Statement of Applicability (SoA) Risk Treatment Plan (RTP) Not all requirements in ISO 27001 are mandatory. You can also define the scope to be covered by the security policy

8. © 2013 Cambridge Technical CommunicatorsSlide 8 Mandatory requirements Define scope Define ISMS policy Define roles and responsibilities Define the risk assessment approach & criteria for accepting risk Define a level of acceptability of risk List assets & define owners Identify threats, vulnerabilities, impact, likely-hood and risk for each asset

9. © 2013 Cambridge Technical CommunicatorsSlide 9 Mandatory requirements Estimate levels of risk and define if risks are acceptable or not Define risk options (accept, transfer, avoid or reduce) for risks that are not acceptable List controls to implement Manage lifecycle of documentation Obtain management approval of residual; risks and for implementation plan Manage resources

10. © 2013 Cambridge Technical CommunicatorsSlide 10 Mandatory requirements Manage communications Implement controls Implement metric for each control Monitor performance of the controls Review effectiveness of the controls Corrective actions Preventive actions Internal audits Management reviews Write statement of applicability

11. © 2013 Cambridge Technical CommunicatorsSlide 11 ISMS Project Plan Identify documents and procedures required by ISO 27001; Locate templates and forms List activities to implement security plan: define scope; gap analysis, asset identification, risk assessment, SOA, policies, business continuity, internal audit

12. © 2013 Cambridge Technical CommunicatorsSlide 12 Thank you We appreciate your interest in CTC Tel: +44 0870 803 2095 Email: info@technical-communicators.com Web: www.technical-communicators.com