Beruflich Dokumente
Kultur Dokumente
ISMS Concepts
Information and Information Security
Information Security Management System
Purpose of ISMS
Process of developing ISMS
Characteristics of good ISMS
What is Information ?
Information is an asset that, like other important business assets, is essential to an
organizations business and consequently needs to be suitably protected. (ISO/ IEC
27002)
Asset: Anything that has value to the organization
High User
Theft , Sabotage, Version Control
knowledge of IT
Misuse, Hacking Problems
sys.
Secur
ity
Polici
es
VSAT
Leased
Dial In INET
Virus Fire
Natural calamities
ES S
minimizes financial loss
U SI N Information
S A B
maximizes return on Systems
I SU
investments and E
business S
IS
opportunities S
Selection of controls
(ISO/IEC 27001)
Information
Legal Requirements Security
Management
Business Requirements System
Security Requirements
Risk Assessment
Policy,
Threats & Assets Procedures
Vulnerabilities identification
Assessment & valuation & Controls
Prevention Threat
Reduction
Detection
Incident
Repression
Correction
Damage
Evaluation
Recovery
ISO 27004:2009
Measurements
ISO 27011:2009
Telecommunications Organizations
Health Organizations
ISMS Auditor / Lead Auditor Training Course Version 4.4 13
Other Related Standards
Plan
Establish
ISMS
Act
Do
Development, Interested
Interested Implement & Maintain & Parties
Parties Maintenance and
Operate ISMS Improvement Cycle Improve ISMS
IEEE/EIA Standard
Industry Implementation of
International Standard
ISO/IEC 12207 : 1995
1. Scope
(ISO/IEC 12207) Standard for Information
Technology-
Annexure A : Control
objectives & controls
ISO 27001: Control Objectives
and Controls
39 Control
Objectives
Specifies Satisfies
Requirements Objectives
133 Controls
11 Domains
A.8 Human A.9 Physical & A.10 Communications A.12 Info. Systems
Resources environmental & operations Acquisition
Security security management development &
maintenance
A.11 Access control
A.15 Compliance
Why Documentation?
Details in Documentation
Size & Type of organization
Complexity & interaction of processes
Complexity of Infrastructure
Competence of Personnel
Surveillance Audits
The purpose of surveillance is
o to verify that the approved ISMS continues to be implemented,
o to consider the implications of changes to that system initiated as a
result of changes in the client organizations operation and
o to confirm continued compliance with certification requirements.
Surveillance programs should normally cover
o the system maintenance elements which are internal ISMS audit,
management review and preventive and corrective action;
o changes to the documented system;
o areas subject to change;
o selected elements of ISO/IEC 27001;
o other selected areas as appropriate.