Iso 27001:2005

1
INFORMATION SECURITY
MANAGEMENT SYSTEM
ISO/IEC 27001:2005
2
What Is ISO?
The International Organization for Standardization (ISO) is a
worldwide federation of national standards bodies.

Working through Technical Committees, it has developed and
published over 18,000 different ISO standards that are used
internationally for subjects ranging from film speeds to wine glasses
to quality management systems.

The official purpose for the issuance of ISO Standards is to facilitate
world trade through standardization.

3
Standard Organizations
ISO International Organization for Standardization

IEC International Electrotechnical Commission

BSI British Standards Institute

Management
Systems
ISO 20000-1:2011
Service Management
ISO 22301
Business Continuity
Management
ISO 27001-2005
Information
Security
Management
System
ISO 9001:
2008
Quality
Management
System

ISO 31000 Risk
Management
4
5
Elements of a Management System
Management Commitment

Top management shall .

Participation in Management Reviews

Provide input for continuous improvement

Accountable for resource management

6
Resource Management

Identification of resources including human, technical,
information and financial

Identification of roles, accountability and responsibility (RACI)

Competence, awareness & training

7
Management Reviews

Required inputs including reviews of audits, customer feedback,
performance measurements, improvements, changes

Required outputs including actions recorded for improvements,
documented improvements and the effectiveness of those
improvements, additional follow-through of actions identified
such as resource needs or completion of changes identified

8
Document & Records Control

Documented procedure for creating, approving, maintaining,
protecting archiving and destroying documents & records

Identifying documents of external origin
9
Internal Audit

Document an audit plan

Identify internal auditors, hire or train

Document outputs and act upon findings

Timely reporting

10
Continual Improvement

Organization shall continually improve the effectiveness of the
management system through the use of the policy, objectives,
audit results, analysis of data, corrective and preventive actions
and management review

Corrective/Preventive Actions recorded, planned and updated
timely

Good Root Cause methodology

Review of effectiveness of actions taken
11
ISO 20000, 27001, 9001 Similarities

ISO 20000 ISO 27001 ISO 9001
4.0 SMS General
Requirements
4.0 ISMS
5.0 Management Responsibility
4.1 General requirements
4.1.1 Management
Commitment
5.1 Management Commitment
5.0 Management Commitment
4.3.2 Control of
Documents
4.3.2 Control of Documents 4.2.3 Control of Documents

4.3.3 Control of Records 4.3.3. Control of Records 4.2.4 Control of Records

4.4.1 Provision of
Resources
4.4.2 Human Resources
5.2.1 Provision of Resources
5.2.2 Training, Awareness &
Competence
6.0 Resource Management
4.5.4.2 Internal Audit 6 Internal ISMS audits 8.1.2 Internal audit

4.5.4.3 Management
Review
7 Management Review 5.6 Management Review
4.5.5 Maintain and
improve the SMS
8 ISMS improvement 8.4 Continual improvement

12
What is ISO/IEC 27001 Standard
Internationally accepted standard for information security
management
Auditable specification for information security management system
ISO/IEC 27001 is not only an IT standard.
Process, Technology and People Management standard.
Helps to combat fraud and promote secure operations.
Unified standard for security associated with the information life
cycle.

13
History of ISO/IEC 27001 Standard
1992
The Department of Trade and Industry (DTI), which is part of the UK Government,
publish a 'Code of Practice for Information Security Management'.

1995
This document is amended and re-published by the British Standards Institute (BSI) in
1995 as BS7799.

2000
In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It
becomes ISO 17799 (or more formally, ISO/IEC 17799).

2005
A new version of ISO 17799 is published. This includes two new sections, and closer
alignment with BS7799-2 processes..

2005
The latest version of ISMS is known as ISO/IEC 27001:2005
14
27000 Series of Standards
ISO/IEC publishes two standards that focus on an organizations ISMS:

The code of practice standard: ISO/IEC 27002 (ISO/IEC 17799).
This standard can be used as a starting point for developing an
ISMS. It provides guidance for planning and implementing a program
to protect information assets. It also provides a list of controls
(safeguards) that you can consider implementing as part of your
ISMS.

The management system standard: ISO/IEC 27001. This standard
is the specification for an ISMS. It explains how to apply ISO/IEC
27002 (ISO/IEC 17799). It provides the standard against which
certification is performed, including a list of required documents. An
organization that seeks certification of its ISMS is examined against
this standard.
15
27000 Series of Standards
ISO/IEC 27001 - Information security management systems Requirements

ISO/IEC 27002 - Code of practice for information security management

ISO/IEC 27006 - Guide to the certification/registration process (published in 2007)

ISO/IEC 27000 - Vocabulary for the ISMS standards

ISO/IEC 27003 - ISMS implementation guide

ISO/IEC 27004 - Standard for information security management measurements

ISO/IEC 27005 - Standard for risk management

ISO/IEC 27007 - Guideline for auditing ISMS

ISO/IEC 27011 - Guideline for telecommunications in ISMS
16
Understanding the Standards - Documents
Most standards have at least two supporting documents

Requirements these are the shalls and are required to be
implemented unless exclusions can be taken. The auditor can only
audit against the shalls.

Code of Practice these are the shoulds and are guidance to
assist you in implementation.

Guideline a fully implementable standard that does not have a
certification scheme. You can be compliant, but not certified.

17
Stages for Registration
Submit application to registrar

Stage 1: Assessment of readiness

Stage 2: Assessment for registration audit

Registration/certification awarded for 3 years

Surveillance audits (at least annually)

Recertification audit at the end of 3
rd
year

18
Stages for Registration
Usually takes 1 or possibly 2 auditors 1 to 3 days

depending on scope, size, locations and personnel

You will be told whether or not you will be recommended for
registration at the completion of the Stage 2 audit

Certificate usually arrives a 2 6 weeks later

Maintaining your ISO Certification(s) is the first step in continuous
improvement

19
Overview of an ISMS
Information security is the protection of information to ensure:

Confidentiality: ensuring that the information is accessible only to
those authorized to access it.

Integrity: ensuring that the information is accurate and complete and
that the information is not modified without authorization.

Availability: ensuring that the information is accessible to authorized
users when required.

Information security is achieved by applying a suitable set of controls
(policies, processes, procedures, organizational structures, and
software and hardware functions).
20
Elements of Information Security
Information Security is the protection of information and information
assets to preserve :
21
What is Information Security Management
System
An Information Security Management System (ISMS) is a systematic
approach to managing sensitive company information and information
entrusted to companies by third parties so that it remains secure. It
encompasses people, processes and IT systems. It is an organizational
approach to information security.

Building a Information Security Management system is achieved through
the systematic assessment of the systems, technologies and media
contained information, appraisal of the loss of information, cost of
security breaches, and development & deployment of counter
measures to threats.
22
Process Approach: Plan, Do, Check, Act

Do
Plan
Check
Act
23
Structure of ISO/IEC 27001:2005
All activities must follow a method. The method is arbitrary but must be
well defined and documented.

A company or organization must document its own security goals. An
auditor will verify whether these requirements are fulfilled.

All security measures used in the ISMS shall be implemented as the
result of a risk analysis in order to eliminate or reduce risks to an
acceptable level.

The standard offers a set of security controls. It is up to the organization
to choose which controls to implement based on the specific needs of
their business.

24
Structure of ISO/IEC 27001:2005
A process must ensure the continuous verification of all elements of the
security system through audits and reviews.

A process must ensure the continuous improvement of all elements of
the information and security management system.

(The ISO/IEC 27001 standard adopts the Plan-Do-Check-Act
[PDCA] model as its basis and expects the model will be
followed in an ISMS implementation.)
25
Management Commitment
Management must make a commitment to the establishment,
implementation, operation, monitoring, review, maintenance, and
improvement of the ISMS. Commitment must include activities such as
ensuring that the proper resources are available to work on the ISMS and
that all employees affected by the ISMS have the proper training,
awareness, and competency.

Establishment of the following items demonstrates management
commitment:

An information security policy; this policy can be a standalone document
or part of an overall security manual that is used by an organization.

26
Management Commitment (Cont.)
Information security objectives and plans; again this information can be
a standalone document or part of an overall security manual that is used
by an organization

Roles and responsibilities for information security; a list of the roles
related to information security should be documented either in the
organizations job description documents or as part of the security
manual or ISMS description documents

Announcement or communication to the organization about the
importance of adhering to the information security policy

Sufficient resources to manage, develop, maintain, and implement the
ISMS
27
Management Commitment (Cont.)
In addition, management will participate in the ISMS Plan-Do-Check-Act
[PDCA] process, as described in ISO/IEC 27001 by:

Determining the acceptable level of risk. (Evidence of this activity can
be incorporated into the risk assessment documents)

Conducting management reviews of the ISMS at planned intervals.
(Evidence of this activity can be part of the approval process for
the documents in the ISMS)

Ensuring that personnel affected by the ISMS are provided with training,
are competent for the roles and responsibilities they are assigned to
fulfill, and are aware of those roles and responsibilities. (Evidence of
this activity can be through employee training records and
employee review documents)
POLICY
Establish the context
-Define Information Security policy
and objectives
-ISMS scope and policy
-Security Organization
-Risk identification and assessment
- Identify risks
- Analyze risks
- Evaluate
Manage the risk
- Identify and evaluate options for
managing the risks
- Select controls and objectives for
the treatment and management of
risk
- Implement selected controls
- Statement of applicability
Monitor The Progress
Create Monitoring Rules
Monitor and review ISMS

Improve ISMS
- Identify improvements in
the ISMS and implement
them
- Take appropriate
Corrective and preventive
actions
- Communicate and consult
(management,stakeholders,
users etc.)
ISMS Implementation

ISMS Implementation
28
29
1. PLAN

Establish the ISMS
30
Define the scope of the ISMS
Determine the extent to which you want the ISMS to apply to
your organization

Lists of the areas, locations, assets, and technologies of the
organization that will be controlled by the ISMS.

What areas of your organization will be covered by the ISMS?

What are the characteristics of those areas; its locations, assets,
technologies to be included in the ISMS?

Will you require your suppliers to abide by your ISMS?

Are there dependencies on other organizations? Should they be
considered?
31
Define the risk assessment approach
Risk assessment is the process of identifying risks by analyzing threats to,
impacts on, and vulnerabilities of information and information systems and
processing facilities, and the likelihood of their occurrence. Choosing a risk
assessment method is one of the most important parts of establishing an
ISMS.

To meet the requirements of ISO/IEC 27001, you will need to define and
document a method of risk assessment and then use it to assess the risk to
your identified information assets, make decisions about which risks are
intolerable and therefore need to be mitigated, and manage the residual
risks through carefully considered policies, procedures, and controls.
32
ISO/IEC 27001 does not specify the risk assessment method you should
use; however, it does state that you must use a method that enables you to
complete the following tasks:

Evaluate risk based on levels of Confidentiality, Integrity, and
Availability

Set objectives to reduce risk to an acceptable level

Determine criteria for accepting risk

Evaluate risk treatment options

Some risk assessment methods provide a matrix that defines levels of
confidentiality, integrity, and availability and provide guidance as to when
and how those levels should be applied, as shown in the following table:
33
34
If you are unfamiliar with risk assessment methods, you might want to refer
to these published examples:

ISO/IEC 13335 (Management of information and communications
technology security)

NIST SP 800-30 (Risk Management Guide for Information Technology
Systems) http://csrc.nist.gov/publications/nistpubs/

ISO/IEC 31000:2009

Risk assessment methods that are specific to the industry of your
organization
35
Identify the information assets
To identify risks and the levels of risks associated with the information you
want to protect, you first need to make a list of all of your information assets
that are covered in the scope of the ISMS.

You should have a list of the information assets to be protected and an
owner for each of those assets. You might also want to identify where the
information is located and how critical or difficult it would be to replace.

Because you will need this list to document your risk assessment, you
might want to group the assets into categories and then make a table of all
the assets with columns for assessment information and the controls you
choose to apply.
36
Identify the information assets (Cont.)
Example:

37
Identify risks and classify them according to their severity and vulnerability.
In addition, you will need to identify the impact that loss of confidentiality,
integrity, and availability may have on the assets. Start by identifying actual
or potential threats and vulnerabilities for each asset.

A threat is something that could cause harm.

A declaration of the intent to inflict harm or misery

Potential to cause an unwanted incident, which may result in harm
to a system or organization and its assets

Intentional, accidental, or man-made act that could inflict harm or a
natural disaster

38
Continued:

A vulnerability is a source or situation with a potential for harm

a broken window; it might encourage harm, such as a break in

A risk is a combination of the likelihood and severity or frequency that a
specific threat will occur.

For each asset, you should identify vulnerabilities that might exist for that
asset and threats that could result from those vulnerabilities.
39
Example:

40
Perform the risk assessment
After you have identified the risks and the levels of confidentiality, integrity,
and availability, you will need to assign values to the risks.

The values will help you determine if the risk is tolerable or not and whether
you need to implement a control to either eliminate or reduce the risk.

To assign values to risks, you need to consider:

The value of the asset being protected

The frequency with which the threat or vulnerability might occur

The damage that the risk might inflict on the company or its
customers or partners
41
Perform the risk assessment
Note:

Be sure to refer to your Risk Assessment Methodology document to
determine the implication of a certain risk value. To keep your ISMS
manageable, your Risk Assessment Methodology might specify that
only risks with a value of Medium or High will require a control in your
ISMS. Based on your business needs and industry standards, risk will
be assigned appropriate values.
42
43
Select controls
For the risks that youve determined to be intolerable, you must take one of
the following actions:

Decide to accept the risk
actions are not possible because they are out of your control (such
as natural disaster or political uprising) or are too expensive

Transfer the risk
purchase insurance against the risk, subcontract the activity so that
the risk is passed on to the subcontractor, etc.

Reduce the risk to an acceptable level through the use of controls

To reduce the risk, you should evaluate and identify appropriate controls.
These controls might be controls that your organization already has in
place or controls that are defined in the ISO/IEC 27002 (ISO/IEC 17799)
standard.
44
Select controls (Cont.)
Note:

An examination of the controls that you already have in place against
the standard and then using the results to identify what controls are
missing is commonly called a gap analysis
45
46
Statement of Applicability (SoA)
The Statement of Applicability (SoA) documents the control objectives and
controls selected from Annex A.

The SoA is usually a large table in which each control from Annex A of
ISO/IEC 27001 is listed with its description and corresponding columns that
indicate:

whether that control was adopted by the organization

the justification for adopting or not adopting the control

a reference to the location where the organizations procedure for using
that control is documented.
47
48
2. DO

Implement and Operate the ISMS
49
Risk Treatment Plan (RTP)
The risk treatment plan is the immediate output of the Risk Assessment. It
defines how, based on the criteria established by senior management, each
risk is to be handled. The options are to:

1. Knowingly accept the risk as it falls within the organization's "risk
appetite", in other words management deem the risk acceptable,
compared to the cost of improving controls to mitigate it

2. Implement a suitable control or combination of controls to reduce
(mitigate) the risk to a more acceptable level.

3. Avoid the risk (i.e. do not undertake the associated business activity)

4. Transfer the risk to another organization (e.g. through insurance or by
contractual arrangements with a business partner)
50
Risk Treatment Plan (RTP)
The Risk Treatment Plan is the process of managing control
implementation and should include what to do, how to do it, when to do it
and who should do it.

Control Selection output of the Risk Assessment

Risks

Tasks

Assigned responsibility to a person

Scheduled timeline

Completion Date
51
Implementing controls through policies,
processes and procedures
For each control that is defined, there must be corresponding
statements of policy or in some cases a detailed procedure. The
procedure and policies are used by affected personnel so they
understand their roles and so that the control can be implemented
consistently. The documentation of the policy and procedures is a
requirement of ISO/IEC 27001.

The number of policies, procedures, and records that you will require as
part of your ISMS will depend on a number of factors, including the
number of assets you need to protect and the complexity of the controls
you need to implement.
52
Training and awareness program
Adequate resources (people, time, money) should be allocated to the
operation of the ISMS and all security controls. The staff who must work
within the ISMS (maintaining it and its documentation and implementing its
controls) must receive appropriate training. The success of the training
program should be monitored to ensure that it is effective. Therefore, in
addition to the training program, you should also establish a plan for how
you will determine the effectiveness of the training.

Requirements:
A list of the employees who will work within the ISMS
All of the ISMS procedures to use for identifying what type of training is
needed and which members of the staff or interested parties will require
training
Management agreement to the resource allocation and the training
plans
53
Training and awareness program
If you want your personnel to implement all the new policies and
procedures, first you have to explain to them why they are necessary, and
train your people to be able to perform as expected. The absence of these
activities is the second most common reason for ISO 27001 project failure.

Specific documentation is not required in the ISO/IEC standards. However,
to provide evidence that resource planning and training has taken place,
you should have some documentation that shows who has received
training and what training they have received. In addition, you might want to
include a section for each employee that lists what training they should be
given. Also, you will probably have some type of procedure for determining
how many people, how much money, and how much time needs to be
allocated to the implementation and maintenance of your ISMS. Its
possible that this procedure already exists as part of your business
operating procedures or that you will want to add an ISMS section to that
existing documentation.
54
ISMS operation
This is the part where ISO 27001 becomes an everyday routine in your
organization. The crucial word here is: records. Auditors love records
without records you will find it very hard to prove that some activity has
really been done. But records should help you in the first place using
them you can monitor what is happening you will actually know with
certainty whether your employees (and suppliers) are performing their tasks
as required.
55
Incidents management
The first goal of the incident management process is to restore a normal
service operation as quickly as possible and to minimize the impact on
business operations, thus ensuring that the best possible levels of service
quality and availability are maintained.

ITIL v3 terminology defines an incident as:

An unplanned interruption to an IT Service or a reduction in the Quality
of an IT Service. Failure of a Configuration Item that has not yet
impacted Service is also an Incident.

ISO 20000 defines an incident as:

Any event which is not part of the standard operation of a service and
which causes or may cause an interruption to, or a reduction in, the
quality of that service.
56
Incidents management (Cont.)
Activities of Incident Management:

Identification - detect or report the incident

Registration - the incident is registered in a ICM System

Categorization - the incident is categorized by priority , SLA etc.
attributes defined above

Prioritization - the incident is prioritized for better utilization of the
resources and the Support Staff time

Diagnosis - reveal the full symptom of the incident

Escalation - should the Support Staff need support from other
organizational units
57
Continued:

Investigation and diagnosis - if no existing solution from the past could
be found the incident is investigated and root cause found

Resolution and recovery - once the solution is found the incident is
resolved

Incident closure - the registry entry of the incident in the ICM System is
closed by providing the end-status of the incident
58
Incident Management according to ISO 27001 standard:

A.13.2 Management of information security incidents and
improvements

Objective: To ensure a consistent and effective approach is applied to
the management of information security incidents.

A.13.2.1 Responsibilities and procedures

Management responsibilities and procedures shall be established
to ensure a quick, effective, and orderly response to information
security incidents.

59
A.13.2.2 Learning from information security incidents

There shall be mechanisms in place to enable the types, volumes,
and costs of information security incidents to be quantified and
monitored.

A.13.2.3 Collection of evidence

Where a follow-up action against a person or organization after an
information security incident involves legal action (either civil or
criminal), evidence shall be collected, retained, and presented to
conform to the rules for evidence laid down in the relevant
jurisdiction(s).
60
3. CHECK

Monitor and Review the ISMS
61
Monitor and measure
To ensure that the ISMS is effective and remains current, suitable,
adequate, and effective, ISO/IEC 27001 requires:

Management to review the ISMS at planned intervals. The review must
include assessing opportunities for improvement, and the need for
changes to the ISMS, including the security policy and security
objectives, with specific attention to previous corrective or preventative
actions and their effectiveness.

Periodic internal audits

The results of the reviews and audits must be documented and records
related to the reviews and audits must be maintained.
62
Audit
To perform internal audits on a periodic basis, you need to define the
scope, criteria, frequency, and methods. You also need the procedure
(which should have been written beforehand) that identifies the
responsibilities and requirements for planning and conducting the audits,
and for reporting results and maintaining records.

The results of an internal audit should result in identification of
nonconformities and their related corrective actions or preventative actions.
ISO/IEC 27001 lists the activity and record requirements related to
corrective and preventative actions.
63
Review
Management does not have to configure your firewall, but it must know
what is going on in the ISMS, i.e. if everyone performed his or her duties, if
the ISMS is achieving desired results etc. Based on that, the management
must make some crucial decisions.

The results of a management review should include decisions and actions
related to:

Improvements to the ISMS

Modification of procedures that effect information security at all levels
within the organization

Resource needs
64
4. ACT

Maintain and Improve the ISMS
65
Corrective/Preventative action
The purpose of the management system is to ensure that everything that is
wrong (so-called non-conformities) is corrected, or hopefully prevented.

Therefore, ISO 27001 requires that corrective and preventive actions are
done systematically, which means that the root cause of a non-conformity
must be identified, and then resolved and verified. Hence it is known
exactly where problems (nonconformities) are to be reported, who needs to
review them and make a decision on how to resolve them, who is
responsible for eliminating them, etc.

66
Corrective action
Who can initiate corrective actions?
Anyone in the company can raise a corrective action, and the same goes
for your partners and suppliers who have a role in your ISMS. A corrective
action may be raised because of an internal audit report or because of the
results of testing and exercising, but also because someone thought of a
better way to write the policies and procedures.

Required documents
You should have the following documents regarding your corrective actions:
Corrective action procedure this procedure defines the basic rules for
resolving corrective actions how to raise one, where are they
documented, who has to make which decisions, how to control their
execution, etc.

Corrective actions these are the records of actual nonconformities,
decisions and activities made to resolve them.
67
Preventative action
Preventive actions are steps that are taken to avoid potential
nonconformities and make improvements. Preventive actions address
potential nonconformities (problems), ones that haven't yet occurred.
Preventive actions prevent the occurrence of problems by removing their
causes. In general, the preventive action process can be thought of as a
risk management process.
68
CA/PA according to ISO 27001 standard
8.2 Corrective action

The organization shall take action to eliminate the cause of
nonconformities with the ISMS requirements in order to prevent
recurrence. The documented procedure for corrective action shall
define requirements for:

a) identifying nonconformities
b) determining the causes of nonconformities
c) evaluating the need for actions to ensure that nonconformities do not
recur
d) determining and implementing the corrective action needed
e) recording results of action taken
f) reviewing of corrective action taken

69
CA/PA according to ISO 27001 standard
8.3 Preventive action

The organization shall determine action to eliminate the cause of
potential nonconformities with the ISMS requirements in order to
prevent their occurrence. Preventive actions taken shall be appropriate
to the impact of the potential problems. The documented procedure for
preventive action shall define requirements for:

a) identifying potential nonconformities and their causes
b) evaluating the need for action to prevent occurrence of
nonconformities
c) determining and implementing preventive action needed
d) recording results of action taken
e) reviewing of preventive action taken
70
Review
The point of clause 7.3 in ISO 27001 is to ask your executives to make
crucial decisions that will have a major impact on your ISMS. And this has
to be done in a systematic way.

For instance, your information security may need a larger budget, or your
existing alternative location may not be appropriate all such issues need
decisions from the top, and management review is exactly the place to
make such decisions. You can consider this management review to be
nothing more than a regular meeting of your top executives with a specific
topic: Information Security.

The minimum is to perform management review once a year, or more often
if any major change happens that can influence information security.
71
Review
What is to be discussed at the management review:

Your executives need to make at least the following decisions: whether the
ISMS has fulfilled its objectives, which improvements are needed, changes
to the scope, approval of the required resources, modification to the main
documents

You can use this requirement of ISO 27001 to do much more than mere
compliance. Use it for building a relationship with your decision makers!
72
Close the PDCA cycle
The "Plan Do Check Act" (PDCA) is a closed cycle, meaning that it will
never end.

Done with your ISMS implementation? Sorry, theres no such thing as
finished in the PDCA cycle. Because of the very nature of a continuous
improvement process - it will never be finished. Celebrate your success,
and then go back and keep tweaking it. You will keep tweaking your original
goals, amend them, and work to get closer and closer.
73
ISO/IEC 27001:2005 Checklist
The information security Management Program should include:

Define Scope and Boundaries of the ISMS

Define the Security Policy

Define a Risk Assessment Approach of Organisation

Identify the Information Assets and their Risks

Analyze and Evaluate the Risks

Identify and Evaluate options for Treatment of Risk

Select Control Objectives and Controls for treating Risks (Annexure A)

74
Continued:

Formulate Risk Treatment Plan and Implement RTP Plan

Implement Control to meet Control Objectives

Define how to measure effectiveness of the Controls

Implement Training and Awareness Program

Implement of procedures and other controls capable of detection of
Security Events / Incidents.

Promptly Detect errors in result of Processing

75
Continued:

Identify Security Breaches and Incidents

Regular Reviews of Effectiveness of the ISMS

Measure the Effectiveness

Review Risk assessment at planned intervals

Conduct Internal Audits

Implement the identified improvements

Take appropriate corrective and Preventive actions

76
Some of the Controls Recommended by the
Standard
Technology Process
People
- System Security
- UTM. Firewalls
- IDS/IPS
- Data Center
- Physical Security
- Vulnerability Assmt
- Penetration Testing
-Application Security
- Secure SDLC
- SIM/SIEM
- Managed Services
- Risk Management
- Asset Management
- Data Classification
- Info Rights Mgt
- Data Leak
Prevention
- Access
Management
- Change
Management
- Patch Management
- Configuration Mgmt
- Incident Response
-Incident
Management
-Business Continuity

- Training
- Awareness
- HR Policies
- Background Checks
- Roles /
responsibilities
- Mobile Computing
- Social Engineering
- Social Networking
- Acceptable Use
- Policies
- Performance Mgt

77
Control Objectives / Controls (Annexure A)
Overall the Annexure A can be put in:
Domain Areas 11
Control Objectives 39
Controls 133
78
A.5 Security policy
A.5.1 Information security policy

Control Objective:

To provide management direction and support for information
security in accordance with business requirements and
relevant laws and regulations.

Controls:
Information security policy document
Review of the information security policy
79
A.6 Organisation of Information Security
A.6.1 Internal organization

Control Objective:

To Manage Information Security within the Organization.

Controls:
Management commitment to information security
Information security co-ordination
Allocation of information security responsibilities
Authorization process for information processing facilities
Confidentiality agreements
Contact with authorities
Independent review of information security
80
A.6 Organisation of Information Security
A.6.2 External parties

Control Objective:

To maintain the security of organizational information and
information processing facilities that are accessed processed,
communicated to, or managed by external parties

Controls:
Identification of risks related to external parties
Addressing security when dealing with customers
Addressing security in third party agreements

81
A.7 Asset Management
A.7.1 Responsibility of Assets

Control Objective:

To achieve and maintain appropriate protection of
organizational assets

Controls:
Inventory of assets
Ownership of assets
Acceptable use of assets

82
A.7 Asset Management
A.7.2 Information classification

Control Objective:
To ensure that information receives an appropriate level of
protection

Controls:
Classification guidelines
Information labeling and handling
83
A.8 Human Resource Security
A.8.1 Prior to employment

Control Objective:

To ensure that employees, contractors and third party users
understand their responsibilities, and are the roles they are
considered for, and to reduce the risk of theft, fraud or misuse
of facilities

Controls:
Roles and responsibilities
Screening
Terms and conditions of employment
84
A.8.2 During employment

Control Objective:

To ensure that all employees, contractors and third party users
are aware of information security threats and concerns, their
responsibilities and liabilities and are equipped to support
organizational security policy in the course of their normal work
and to reduce the risk of human error.

Controls:
Management Responsibilities
Information security awareness, education and training
Disciplinary process
85
A.8.3 Termination or change of employment

Control Objective:

To ensure that employees, contractors and third party users
exit an organization or change employment in an orderly
manner.

Controls:
Termination responsibilities
Return of assets
Removal of access rights
86
A.9 Physical and Environmental Security
A.9.1 Secure areas

Control Objective:

To prevent unauthorized physical access, damage and
interference to the organization's premises and information.

Controls:
Physical security perimeter
Physical entry controls
Securing offices, rooms and facilities
Protecting against external and environmental threats
Working in secure areas
Public access, delivery and loading areas
87
A.9 Physical and Environmental Security
A.9.2 Equipment security

Control Objective:

To prevent loss, damage, theft or compromise of assets and
interruption to the organization's activities

Controls:
Equipment sitting and protection
Supporting utilities
Cabling security
Equipment maintenance
Security of equipment off-premises
Secure disposal or re-use of equipment
Removal of property
88
A.10 Communications and operations
management
A.10.1 Operational procedures and responsibilities

Control Objective:

To ensure the correct and secure operation of information
processing facilities.

Controls:
Documented operating procedures
Change management
Segregation of duties
Separation of development, test and operational facilities

89
management
A.10.2 Third party service delivery management

Control Objective:

To implement and maintain the appropriate level of information
security and service delivery in line with third party service
delivery agreements

Controls:
Service delivery
Monitoring and review of third party services
Managing changes to third party services
Capacity management
System acceptance

90
management
A.10.3 System planning and acceptance

Control Objective:

To minimize the risk of systems failures

Controls:
Capacity management
System acceptance

91
management
A.10.4 Protection against malicious and mobile code

Control Objective:

To protect the integrity of software and information

Controls:
Controls against malicious code
Controls against mobile code
92
management
A.10.5 Back-up

Control Objective:

To maintain the integrity and availability of information and
information processing facilities

Controls:
Information Back-up

93
management
A.10.6 Network security management

Control Objective:

To ensure the protection of information in networks and the
protection of the supporting infrastructure

Controls:
Network controls
Security of network services
94
management
A.10.7 Media handling

Control Objective:

To protect unauthorized disclosure, modification, removal or
destruction of assets, and interruption to business activities

Controls:
Management of removable media
Disposal of media
Information handling procedures
Security of system documentation
95
management
A.10.8 Exchange of information

Control Objective:

To maintain the security of information and software exchanged
within an organization and with any external entity

Controls:
Information exchange policies and procedures
Exchange agreements
Physical media in transit
Electronic messaging
Business information systems
96
management
A.10.9 Electronic commerce services

Control Objective:

To ensure the security of electronic commerce services and
their secure use.

Controls:
Electronic commerce
On-line transactions
Publicly available information
97
management
A.10.10 Monitoring

Control Objective:

To detect unauthorized information processing activities.

Controls:
Audit logging
Monitoring system use
Protection of log information
Administrator and operator logs
Fault logging
Clock synchronization
98
A.11 Access Control
A.11.1 Business requirement for access control

Control Objective:

To control access to information

Controls:
Access control policy
99
A.11 Access Control
A.11.2 User access management

Control Objective:

To ensure authorized user access and to prevent unauthorized
access to information systems

Controls:
User registration
Privilege management
User password management
Review of user access rights
100
A.11 Access Control
A.11.3 User responsibilities

Control Objective:

To prevent unauthorized user access and compromise or theft
of information and information processing facilities

Controls:
Password use
Unattended user equipment
Clear desk and clear screen policy

101
A.11 Access Control
A.11.4 Network access control

Control Objective:

To prevent unauthorized access to networked services

Controls:
Policy on the use of network services
User authentication for external connections
Equipment identification in networks
Remote diagnostic and configuration port protection
Segregation in networks
Network connection control
Network routing control

102
A.11 Access Control
A.11.5 Operating system access control

Control Objective:

To prevent unauthorized access to operating systems

Controls:
Secure log-on procedures
User identification and authentication
Password management system
Use of system utilities
Session time-out
Limitation of connection time

103
A.11 Access Control
A.11.6 Application and information access control

Control Objective:

To prevent unauthorized access to information held in
application systems

Controls:
Information access restriction
Sensitive system isolation

104
A.11 Access Control
A.11.7 Mobile computing and teleworking

Control Objective:

To ensure information security when using mobile computing
and teleworking facilities

Controls:
Mobile computing and communications
Teleworking
105
A.12 Information systems acquisition,
development and maintenance
A.12.1 Security requirements of information systems

Control Objective:

To ensure that security is an integral part of information
systems.

Controls:
Security requirements analysis and specification
106
A.12.2 Correct processing in applications

Control Objective:

To prevent errors, loss, unauthorized modification or misuse of
information in applications.

Controls:
Input data validation
Control of internal processing
Message integrity
Output data validation
107
A.12.3 Cryptographic controls

Control Objective:

To protect the confidentiality, authenticity or integrity of
information by cryptographic means.

Controls:
Policy on the use of cryptographic controls
Key management
108
A.12.4 Security of system files

Control Objective:

To ensure the security of system files

Controls:
Control of operational software
Protection of system test data
Access control to program source code
109
A.12.5 Security in development and support processes

Control Objective:

To maintain the security of application system software and
information

Controls:
Change control procedures
Technical review of applications after operating system
changes
Restrictions on changes to software packages
Information leakage
Outsourced software development
110
A.12.6 Technical Vulnerability Management

Control Objective:

To reduce risks resulting from exploitation of published
technical vulnerabilities

Controls:
Control of technical vulnerabilities
111
A.13 Information security incident
management
A.13.1 Reporting information security events and weaknesses

Control Objective:

To ensure information security events and weakness
associated with information systems are communicated in a
manner allowing timely action to be taken.

Controls:
Reporting information security events
Reporting security weakness
112
A.13 Information security incident
management
A.13.2 Management of information security incidents and
improvements

Control Objective:

To ensure a consistent and effective approach is applied to the
management of information security incidents

Controls:
Responsibilities and procedures
Learning from information security incidents
Collection of evidence

113
A.14 Business Continuity Management
A.14.1 Information security aspects of business continuity mgmt.

Control Objective:

To counteract interruptions to business activities and to protect
critical business process from the effects of major failures of
information systems or disasters to ensure their timely
resumption.

Controls:
Including information security in the BCM process
Business continuity and risk assessment
Developing and implementing continuity plans including
information security
Business continuity planning framework
Testing ,maintaining and reassessing BC plans
114
A.15 Compliance
A.15.1 Compliance with legal requirements

Control Objective:

To avoid breaches of any law, statutory, regulatory or
contractual obligations and of any security requirements

Controls:
Identification of applicable legislation
Intellectual property rights(IPR)
Protection of organizational records
Data protection and privacy of personal information
Prevention of misuse of information processing facilities
Regulation of cryptographic controls
115
A.15 Compliance
A.15.2 Compliance with security policies and standards, and
technical compliance

Control Objective:

To ensure compliance of systems with organizational security
policies and standards

Controls:
Compliance with security policies and standards
Technical compliance checking
Information systems audit controls
Protection of information system audit tools

116
Any questions?

Iso 27001:2005

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Iso 27001:2005

Hochgeladen von

Copyright:

Verfügbare Formate

1

Das könnte Ihnen auch gefallen