Introduction to ISO27001

Information Security Management

System (ISMS)
By
Mr. Muhamamd Usman Hamid
Senior Consultant – Catalyic Consulting
 Agenda
• What is information and information security
• Types of Business information
• Storage and transmission of Information
• Introduction to ISO 27001
• Introduction to steps of ISO 27001 project
 What is information?

• The facts provided or learned about

something or someone is known as
information
• what is conveyed or represented by a
particular arrangement or sequence of things
is known as transmitted information
• Information can be personal information or
business information
 Types of information
• Personal can be:
– CNIC number
– Phone number
– Credit Card number
– Salary etc.
• Business
– Sales figures for day, month and year
– Projected turnover
– Marketing strategies
– Source code
– Vendor’s pricing
– Enhancing plans etc.
 Impact of loss of information

• Black mailing
• Mental trauma
• Lost of reputation
• Financial strain
• Loss of livelihood
• Loss of market share
• Loss of revenue etc.
 Information Security

• Information exists in may form and it has

value in our life. This valuable information
must be protected.

• The protection of valuable information is

called information security.
 Types of Business information

Business Information

Information that produced by business Information that business takes from other

Business intelligence, Source Code, New Information given by Employee

Financial Data etc. Designs, customers Records
Documents, etc.
 Information produced by business –
Financial Data
• Used for:
– Managing Expanses and Revenue
– Regulatory Requirements
– Inform stakeholders about the financial health of
the company
• Disclosure may lead to:
– Loss of competitive advantage
– Legal repercussions
 Information produced by business –
Business Intelligence
• Used for:
– Forecasting
– Producing new services and products
• Disclosure may lead to:
– Loss of competitive advantage
– Legal revenue and job etc.
Information produced by the business-
Source code, New Design etc.
• Used for:
– Creating new products
– Becoming leader in the market
• Disclosure may lead to:
– Loss of competitive advantage
– Loss of market share and revenue
 Information business taken from
others - Data from customers
• Used for:
– Creating new products and services for the
customers
• Disclosure may lead to:
– Loss of customers / business
– Loss of reputation
– Legal repercussions
 Information business taken from
others - Employee Record
• Used for:
– Maintains the database of human resource for
legal and business purposes.
• Disclosure may lead to:
– Loss of privacy of employees
– Loss of Livelihood
– Loss of reputation
– Legal repercussions
 Storage of Information

Information can be store:

• Paper
• Electronic Media
– Hard disk
– USB
– CD
– Chip
• Human Mind
 Information Transmitters

Internet Email
computers

Printer Files Trash

And….
 Information Transmitters

Through Phone

Human Mind

Through Direct interaction

 We should understand
• Information exists in different forms at different
location with different type of threats to it.

• Every type of information threat should be

countermeasure differently.

• So we need a complete management system that

can protect our valuable information that is
available from different sources with different
threats.
Information Security Management System
(ISMS)
An information security management system is
framework for continuously evaluating security
risks to information and taking reasonable steps to
protect the information.

Internationally acceptable standard for Information

Security Management System is:

ISO27001

Full Name: ISO/IEC 27001:2013

 Benefits of ISO 27001
• Leading international standard for information security
management.
• Its purpose is to protect the confidentiality, integrity and availability
of information.
• It does not focus only on information technology, but also on other
important assets at the organization.
• Provides an opportunity to identify and manage risks to key
information and system assets.
• Focuses on reducing the risks for information that is valuable for
the organization
• Allows an independent review and assurance to you on information
security practices
• The operations in the organization are optimized because the
responsibilities and business processes are clearly defined
• Increases the confidence of customers and other stakeholders.
 History & Evaluation of ISO 27001
1992 - The department of Trade and Industry, UK, published the 'code of practice for
information security Management'.

1995 - Amended and re-published by the British Standards Institute as BS7799.

1999 - 1st major revision of BS7799 published

2000 - Bs7799 became ISO 17799, which is a code of practice

2002 - BS7799-2 was published. It was a "specification for information Security

Management System" and Certifiable

2005 - New version of ISO 17799 was published

2005 - BS7799-2 becomes ISO 27001

2013 - New version of ISO 27001 was published

 ISO 27000 Series
• ISO/IEC 27000 — Information security management systems
• ISO/IEC 27001 — Information security management systems
• ISO/IEC 27002 — Code of practice for information security
management
• ISO/IEC 27003 — Information security management system
implementation guidance
• ISO/IEC 27004 — Information security management —
Measurement
• ISO/IEC 27005 — Information security risk management
• ISO/IEC 27006 — Requirements for bodies providing audit and
certification of information security management systems
• ISO/IEC 27007 — Guidelines for information security management
systems auditing (focused on the management system)
• ISO/IEC 27014 — Information security governance
 ISO 27001

• Consists of 11 clauses (0 to 10)

– Clause 4 to 10 are mandatory
• 114 control objectives divided in 14 groups
 Steps to ISO 27001 Project
• Gap Assessment / Analysis (optional)
• Create the information security management
forum
• Define the scope of the isms
• Asset identification and classification
• Risk Analysis
• Risk Management
• Internal Audits
• Certification Audit
 Gap Assessment / Analysis
Why Gap analysis is optional?

Gap analysis is very useful tool in identify the

variations in the processes practicing in the
organization from the requirements of ISO 27001.

It is optional as it can be done before defining the

scope and creating ISM Forum / Steering
Committee or after it.
ISM Forum / Steering Committee
Information Security
Chairman

Chief Information Information

Security Officer Security Auditors

Information Information Information Information

Security Officer Security Officer Security Officer Security Officer
Activities During an ISMF Meetings

• Review the current status of the ISMS,

Information security risk etc.
• Approve new ISMS policies, initiatives, activities
• Review of Audit report
• Recommend corrective actions for information
security violations
• Consider new information security threats
• More....
 Chairman’s Roles and Responsibilities

• Chair the ISMF meetings and reviews

• Final authority for approving or not approving
decisions
• Take balanced decisions about information
security
• Bring sense of "Business" to information
security
 CISO Roles and responsibilities

• Undertake the responsibility of implementing

the ISMS in the organization
• Initiate new ISMS activities
• collect feedback from different department
representatives as well as customers and
regulatory bodies
• Inform the chairman about the status of the
ISMF
 ISO Roles and Responsibilities

ISO is mostly representative of different

business functions so the roles and
responsibilities of ISO are:
• ownership of ISMS implementation in their
respective business function
• Provide feedback to CISO
• Provide information about new business
requirement that may need information
security support
 Roles and Responsibilities of Auditors

The basic guideline and acceptable best practice

is implementer can not be an auditor. No one
can not audit/check his/her own work.
Roles and Responsibilities:
• Submit the audit report to the chairman of
ISMF
• Provide the balanced view of quality of the
ISMS implementation
• Maintain the independence at all times.
 Define the Scope of ISMS

Scope definition is the step in which you will

specify "exactly what is being protected by the
ISMS?". This usually includes, business
functions, information assets in the business
functions and the geographical locations that
will come under the ISMS program.
 Sample ISMS Scope

“The information security management system

is deployed for protecting the business
information used by the HR, Admin, Research
and Development, Sales and Marketing business
functions of Rolustech Hafeez Suits, MM Alam
Road Lahore”
 Asset Identification and Classification

• Identification:
– Listing all the important information assets in the
organization as per the scope.

• Classifying the assets in term of

– Confidentiality
– integrity
– availability
Example of Asset Classification
Information Assets Include
 Risk Analysis

Information Security risk analysis is the process

of deterring the probability of an information
asset being compromised (stolen, destroyed,
corrupted etc.)
 Terminologies of Risk Analysis
• Information Assets:
– An information component of value
Example: computer is used to store the business information.
• Threat:
– Something that can compromise the information asset
Example: virus
• Vulnerability:
– The weakness that can be exploited by the threat.
Example: Absence of proper signature update of antivirus
• Probability:
– The likelihood of the threat exploited the vulnerability.
Example: Once in 2 years
 Risk Management

Information risk management is the process of

deploying suitable countermeasures (controls)
to reduce the information security risks and
protect the information assets.
 Internal Audit

Internal auditing is an independent, objective

assurance and consulting activity designed to
add value and improve an organization's
operations. It helps an organization accomplish
its objectives by bringing a systematic,
disciplined approach to evaluate and improve
the effectiveness of risk management, control,
and governance processes.
 Certification Audit

Stage 1:
Document review and building the
understanding the organization

Stage 2:
On the basis of stage 1 audit evidences are
collected.