Session 1

ISMS Concepts
Information and Information Security
Information Security Management System
Purpose of ISMS
Process of developing ISMS
Characteristics of good ISMS
 What is Information ?
Information is an asset that, like other important business assets, is essential to an
organizations business and consequently needs to be suitably protected. (ISO/ IEC
27002)
Asset: Anything that has value to the organization

Information Life Cycle

Can exist in many forms
data stored on computers Information can be :
transmitted across networks
printed out Created Stored Destroyed ?
written on a paper sent by fax
stored on disks Processed Transmitted Copied
held on microfilm Used (for proper and improper purposes)
spoken in conversations over the
telephone Lost! Corrupted!
..

Whatever form the information takes, or means by which it is

shared or stored, it should always be appropriately protected
throughout its life cycle
ISMS Auditor / Lead Auditor Training Course Version 4.4 2
 Some Common Security Concerns to
Information Assets

High User
Theft , Sabotage, Version Control
knowledge of IT
Misuse, Hacking Problems
sys.

Secur
ity
Polici
es

VSAT
Leased

Dial In INET

Unrestricted Access Systems / Network

Failure Lack of documentation

Virus Fire
Natural calamities

ISMS Auditor / Lead Auditor Training Course Version 4.4 3

 What is needed?

Management concerns Security

Market reputation Measures/Controls
Business continuity Technical
Disaster recovery Procedural
Business loss Physical
Loss of confidential data Logical
Loss of customer Personnel
confidence
Management
Legal liability
Cost of security Examples ?

ISMS Auditor / Lead Auditor Training Course Version 4.4 4

 Information Security

Information Security is about protecting Information

through selection of appropriate Security Controls

protects information from a range of threats

ensures business continuity

ES S
minimizes financial loss
U SI N Information

S A B
maximizes return on Systems

I SU
investments and E
business S
IS
opportunities S

ISMS Auditor / Lead Auditor Training Course Version 4.4 5

 Objectives of Information
Security
Preservation of
Confidentiality :
Ensuring that information is available to only those
authorised to have access.
Integrity :
Safeguarding the accuracy and completeness of
information & processing methods.
Availability :
Ensuring that information and vital services are available
to authorized users when required.

ISMS Auditor / Lead Auditor Training Course Version 4.4 6

 Information Security Model

ISMS Auditor / Lead Auditor Training Course Version 4.4 7

 Why ISMS ?

Information security that can be achieved through technical

means is limited
Security also depends on people, policies, processes and
procedures
Resources are not unlimited
It is not a once off exercise, but an ongoing activity

All these can be addressed effectively and

efficiently only by establishing a proper
Information Security Management System(ISMS)

ISMS Auditor / Lead Auditor Training Course Version 4.4 8

 Information Security Management
System (ISMS)
ISMS is that part of overall management system based on a
business risk approach to
Establish
Implement
Operate
Monitor
Review
Maintain &
Improve
Information security
ISMS is a management assurance mechanism for security of
information asset concerning its
availability
integrity and
Confidentiality

ISMS Auditor / Lead Auditor Training Course Version 4.4 9

 Process for developing an
ISMS

Selection of controls
(ISO/IEC 27001)
Information
Legal Requirements Security
Management
Business Requirements System
Security Requirements

Risk Assessment
Policy,
Threats & Assets Procedures
Vulnerabilities identification
Assessment & valuation & Controls

ISMS Auditor / Lead Auditor Training Course Version 4.4 10

 Characteristics of a good ISMS

Prevention Threat
Reduction
Detection
Incident
Repression

Correction
Damage

Evaluation
Recovery

ISMS Auditor / Lead Auditor Training Course Version 4.4 11

 ISMS Standards
ISO/ IEC 27001 : 2005
A specification (specifies requirements for implementing,
operating, monitoring, reviewing, maintaining & improving a
documented ISMS)
Specifies the requirements of implementing of Security
control, customised to the needs of individual organisation
or part thereof.
Used as a basis for certification
ISO/IEC 27002 : 2005 (Originally ISO/IEC 17799:2005)
A code of practice for Information Security management
Provides best practice guidance
Use as required within your business
Not for certification

Both ISO 27001 and ISO 27002 security control clauses

are fully harmonized
ISMS Auditor / Lead Auditor Training Course Version 4.4 12
 ISMS family of Standards: Relationship
ISO 27000 : 2009
Overview and Vocabulary

ISO 27001 : 2005 ISO 27006: 2006

Requirements Certification body Requirements

ISO 27002 : 2005 ISO 27007:2010?

Code of Practice Audit Guidelines

ISO 27003:2010 ISO 27005:2008

Implementation Guidance Risk Management

ISO 27004:2009
Measurements

ISO 27011:2009
Telecommunications Organizations

ISO 27799:2008 Status as on 31st March,2010

Health Organizations
ISMS Auditor / Lead Auditor Training Course Version 4.4 13
 Other Related Standards

ISO/ IEC TR 18044:2004

IT Security techniques Information security incident management
ISO/IEC 17021
Conformity assessment Requirements for bodies providing audit and
certification of management systems
ISO/IEC 19011:2002
Guidelines for management system auditing

ISMS Auditor / Lead Auditor Training Course Version 4.4 14

 PDCA Model applied to ISMS
Processes

Plan
Establish
ISMS
Act
Do
Development, Interested
Interested Implement & Maintain & Parties
Parties Maintenance and
Operate ISMS Improvement Cycle Improve ISMS

Information Monitor & Managed

Security Review ISMS Information
Requirements Security
& Expectations Check

ISMS Auditor / Lead Auditor Training Course Version 4.4 15

 ISO 27001 Structure
IEEE/EIA 12207.0-1996
Reproduced by GLOBAL (A Joint Standard Developed by IEEE and EIA)
ENGINEERING DOCUMENTS
With The Permission of IEEE
Under Royalty Agreement

IEEE/EIA Standard

Industry Implementation of
International Standard
ISO/IEC 12207 : 1995
1. Scope
(ISO/IEC 12207) Standard for Information
Technology-

Software life cycle processes 2. Normative References

3. Terms & Definitions
March 1998

THE INSTITUTE OF ELECTRICAL ELECTRONIC INDUSTRIES ASSOCIATION

AND ELECTRONICS ENGINEERING DEPARTMENT
ENGINEERS, INC.

4. Information Security Management System

4.1 General
4.2 Establish and manage ISMS
4.3 Documentation
4.3.3 Control of Records
5. Management Responsibility
5.1 Management Commitment
5.2 Resource Management
IS 6. Internal ISMS Audits
O
27 7. Management Review of the
00
1: ISMS
20
05 8. ISMS Improvement
8.1 Continual Improvement
8.2 Corrective Actions
8.3 Preventive Actions
ISMS Auditor / Lead Auditor Training Course Version 4.4 Annexure A,B & C 16
ISMS process framework
requirements

ISO 27001 Clause 4-8

 ISMS process framework
requirements
4. Information Security Management System
4.2 Establishing and managing the ISMS
4.3 Documentation requirements
5. Management Responsibility
Why conduct Internal Audits?
6. Internal ISMS Audits Who conducts Internal Audits?

7. Management Review of the ISMS

8. ISMS Improvements
What is the difference between
Corrective Action and
Preventive action?

ISMS Auditor / Lead Auditor Training Course Version 4.4 18

ISMS control requirements

Annexure A : Control
objectives & controls
 ISO 27001: Control Objectives
and Controls

39 Control
Objectives
Specifies Satisfies
Requirements Objectives

133 Controls

11 Domains

ISMS Auditor / Lead Auditor Training Course Version 4.4 20

 Structure of Annexure-A
A.5 Security Policy

A.6 Organization of Information Security

A.7 Asset Management

A.8 Human A.9 Physical & A.10 Communications A.12 Info. Systems
Resources environmental & operations Acquisition
Security security management development &
maintenance
A.11 Access control

A.13 Information Security Incident Management

A.14 Business Continuity Management

A.15 Compliance

ISMS Auditor / Lead Auditor Training Course Version 4.4 21

 ISO 27002 Structure

1 introductory clause on Risk assessment and Treatment.

11 security Control Clauses (fully harmonised with ISO 27001)
39 main Security categories each containing
Control Objective and
One or more control to support achievement of control objective
Control descriptions each containing
Control statement
Implementation Guidance
Other Information

ISMS Auditor / Lead Auditor Training Course Version 4.4 22

 Session 05
ISMS Implementation, Documentation,
Maintenance & Improvement
Action plan for ISMS implementation
Activities in establishing, implementing, monitoring
and improving ISMS
Documentation requirements of ISMS
 Preparation & Implementation
Management Decision & Continued Commitment
Study ISO 27001:2005
Establish ISMS Framework
Establish Security Organization, Responsibility & Infrastructure
Designate Chief Information Security Officer
Establish Security Forum
Encourage Participation by All
Develop Inventory of Assets
Gap Analysis / Status Appraisal
Establish ISMS
Document
Create Awareness - Provide Training(s) as needed
Implement
Monitor
Technical Compliance
Internal ISMS Audits
Management Review
Update & Continually Improvement

ISMS Auditor / Lead Auditor Training Course Version 4.4 24

 Establishing and Managing
ISMS

1. Establish ISMS (PLAN)

2. Implement ISMS (DO)
3. Monitor and review ISMS (CHECK)
4. Maintain & Improve ISMS (ACT)

The participants in four groups are to identify various activities identified

under PLAN, DO, CHECK and ACT .

Preparation time : 10 min.

ISMS Auditor / Lead Auditor Training Course Version 4.4 25

 ISMS Documentation

Why Documentation?

What needs to be documented ?

What are the mandatory Procedures required by ISO

27001 ?

Documents and records can be in any form or type of

medium

ISMS Auditor / Lead Auditor Training Course Version 4.4 26

 Typical ISMS Document
Classification
Security Policy Manual
Summary of management framework including the information
security policy and the control objectives and implemented
controls given in the statement of applicability.
Procedures
Procedures adopted to implement the controls required.
Operational Documents
Explains details of specific tasks or activities.
Records
Evidence of activities carried out.

ISMS Auditor / Lead Auditor Training Course Version 4.4 27

 Extent of Documentation

Details in Documentation
Size & Type of organization
Complexity & interaction of processes
Complexity of Infrastructure

Competence of Personnel

ISMS Auditor / Lead Auditor Training Course Version 4.4 28

 Session 11
Certification Industry & Process
Certification Process
ISMS certification and Legal compliance
 Certification Process
Application
Application Fee
Supporting Documents
Cursory Evaluation
Adequacy Assessment
Stage 1 Audit
Stage 2 Audit
Certification
Maintenance of Certification
Other Aspects
Renewal
Modification to Scope of Certification
Suspension/Withdrawal/Cancellation
Appeals & Complaints

ISMS Auditor / Lead Auditor Training Course Version 4.4 30

 Basic Requirements for
Certification - 1

Evidence of creation of ISMS through system

requirements:
Information Security Policy
Scope Statement
Risk Assessment
Statement of Applicability
The Management System

ISMS Auditor / Lead Auditor Training Course Version 4.4 31

 Basic Requirements for
Certification - 2

Evidence of operation of Management controls:

Management Review
Various forms of system review
Document management
Records Management
Existence of essential controls
Implementation & effectiveness of controls selected
as applicable

ISMS Auditor / Lead Auditor Training Course Version 4.4 32

 Maintenance of Certification

Surveillance Audits
The purpose of surveillance is
o to verify that the approved ISMS continues to be implemented,
o to consider the implications of changes to that system initiated as a
result of changes in the client organizations operation and
o to confirm continued compliance with certification requirements.
Surveillance programs should normally cover
o the system maintenance elements which are internal ISMS audit,
management review and preventive and corrective action;
o changes to the documented system;
o areas subject to change;
o selected elements of ISO/IEC 27001;
o other selected areas as appropriate.

ISMS Auditor / Lead Auditor Training Course Version 4.4 33

 ISMS Certification V/s Legal
Compliance

ISMS Certification is a voluntary Certification and is not a substitute

for compliance to legal requirements. Compliance with ISO 27001
does not in itself confer immunity from legal obligations.
The maintenance and evaluation of legal and regulatory compliance
is the responsibility of the client organization.
The certification body shall restrict itself to checks and samples in
order to establish confidence that the ISMS functions in this regard.
The certification body shall verify that the client organization has a
management system to achieve legal and regulatory compliance
applicable to the information security risks and impacts.

ISMS Auditor / Lead Auditor Training Course Version 4.4 34

 Benefits of ISO27001
Certification
An internationally recognized structured
methodology
A single reference point for identifying a range
of controls needed for most situations where
information systems are used
A defined process to evaluate, implement,
maintain and manage information security
The standard provides a yardstick against which security can
be judged
A set of tailored policy, standards, procedures
and guidelines
Facilitation of Trade in trusted environment
ISMS Auditor / Lead Auditor Training Course Version 4.4 35