Title: Accreditation and certification ISMS EA Guidelines for ISMS Certification process
1Accreditation and certification ISMSEA
Guidelines for ISMSCertification process
2Agenda
- Information Security Management System, ISMS
- Introduction to Business needs and advantages of
information security - Brief history and standards, ISO/IEC 177992000
and BS 7799-22002 - Implementation of an ISMS
- Risk management
- Process approach
- Accreditation and certification ISMS
- EA Guidelines
- ISMS Certification
- Comparison ISMS, ISO 90012000 and ISO 140011996
- Certification status in Sweden and other
countries - Lessons learned
- Future trends
- Further information
3ISMS certificationReasons for seeking
Certification
BSI-DISC survey 1999 in co-operation with Admiral
Plc.
Other reasons quoted for seeking Certification
include To show compliance with the new Data
Protection Act To be able to request compliance
from other organisations To facilitate
compliance with best practice framework
4Accreditation of CBs
- SWEDAC technical committee for ISMS
- EN 450121998
- EA-7/03 Guidelines for the Accreditation of
bodies operating certification/registration of
Information Security Management Systems - STAFS 20022
- BS 7799-22002
5EA 7/03Requirements for the Certification Body
IS 1 - Scope IS 2 - Impartiality IS 3 -
Management competence IS 4 - Auditor
competence IS 5 - Audit Team competence IS 11 -
Certification decision IS 12 - Reporting by
Audit teams to the CB IS 13 - Decision taking,
in relation to the certification function
6EA 7/03Requirements for the Certification Audit
IS 6 - Access to personal records IS 7 -
Statement of Applicability IS 8 - Scope of
certification IS 9 - Audit Methodology IS 10 -
Specific Elements of the ISMS Audit IS 14 -
Surveillance audits and reassessments
7EA 7/03IS6 - Access to personnel records
- The certification body shall make clear to the
customer its need to have access to the personnel
register - The customer shall create opportunities for
access to necessary information - Agreement at contract sign
8EA 7/03IS7 - Statement of Applicability
- The client shall have prepared a Statement of
Applicability relevant for the organisation - all of the requirements of the standard (part 2)
shall be defined (applicable or not applicable) - additional controls might be needed from other
requirements in the business - The Statement of Applicability shall be a part of
the audit teams working document - the roadmap
9BS 7799-220024.2.1 h) Prepare a Statement of
applicability
- Selection of controls and control objectives in
4.2.1 g) - Reasons for selection
- Also exclusion of controls objectives and
controls listed in Annex A
Based on the RISK ASSESSMENT like everything
else!
10BS 7799-22002 - 4.2.1 h) Statement of
Applicability
Plan
Act
Do
- Cross references to other standards in the
organisation
Check
- Statement of fulfilment, non-fulfilment together
with non-applicability of BS 7799-2
- Specific organisational details on top of the
requirements in the standard
Example
A.4.2.2 Security requirements in third-party
contracts - We do not have anyone outside of the
company that requires access hence this is not
applicable to us.
A.5.2.2 Information labelling and handling -
Requirement from HMG that we shall follow
government guidelines, document ref. XYZ
11EA 7/03IS8 - Scope of certification
- The organisation should define the scope of the
Information Security Management System (ISMS) - Interfaces/delimitations should be identified and
included in the risk assessment i.e. shared
site - The certification body shall secure that the risk
assessments are relevant and mirror the business
area for the chosen scope
12EA 7/03IS9 - Audit Methodology
- Certification of Information Security Management
System shall be in two steps - The goal with step 1 is to get insight in the
management system to evaluate if the ISMS is
implemented and ready for the certification audit
13EA 7/03IS10 - Specific Elements of the Audit
- The organisation shall have a process for
assessment of threats, vulnerabilities and
consequences on the organisationen - Controls shall have been implemented to secure
vital assets - The certification body shall verify that the
level is relevant according to - the business area for the organisation
- the environment in which the business is conducted
14EA 7/03IS14 - Surveillance audits
- Surveillance audits at yearly basis
- semi-annual, every nine months or once a year
- Audit methodology - the same as during a
certification audit - Surveillance audits may be combined with audits
of other management systems whereby the complete
business management system is audited at the same
time
15ISMS certificationWhen can certification take
place?
Awareness creation
16ISMS certificationInitial Audit Process
Follow-up Activity
17ISMS certificationSteps in the initial audit
process
18ISMS certificationThe risk assessment is the
focal point
19The auditors checklist to Risk assessment -
evaluation
- Process
- System/feed-back/repeatability
- Traceability
- Support
- Understanding
- Systematic
- Complete
- Competence requirements (education training)
- Participation
- Management commitment
- Security policy
- Business objectives
- External impacting factors i. e. laws, location
20Internal audits/CertificationCo-ordination with
other audits
- Quality Management System
- Environmental Management System
- Occupational Health and Safety Management System
- Information Security Management System
A SINGLE BUSINESS MANAGEMENT SYSTEM
An audit TEAM
21ISMS CertificationBenefits of certification
- Enhanced corporate image
- Accountability / re-assurance
- Drives forward improvement process
- Ensures management commitment
- Positive response from potential customers
- Can be part of Integrated approach
9001/14001/ISMS - Staff motivation
22Agenda
- Information Security Management System, ISMS
- Introduction to Business needs and advantages of
information security - Brief history and standards, ISO/IEC 177992000
and BS 7799-22002 - Implementation of an ISMS
- Risk management
- Process approach
- Accreditation and certification ISMS
- EA Guidelines
- ISMS Certification
- Comparison ISMS, ISO 90012000 and ISO 140011996
23Management Systems 6 focal areas - differences
- BS 7799-22002 ISO 140011996 ISO 90012000
- Risk Assessment Environmental aspects -
- Statement of - (no) Application
(1.2)Applicability 4.2.1.h) - Policy Policy Policy - Framework for setting
- Framework for - Framework for objectives
and establish Environmental Objectives
Quality Objectives overall sense of direction
and Targets - Commitment to comply - Monitor
and review with Requirements - Business Continuity Emergency
Preparedness -Management (A.11) and Response
(4.4.7) - Legal Reqs - ALL Legal Reqs -
Environmental Legal Reqs - ALL - Continual improvement of Continual
improvement Continual improvement the
effectiveness of the and prevention of of the
QMS (8.5.1) ISMS (7) pollution (4.2) - EA 7/03 EA 7/02 EA 7/01
24Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas
- EMS closest to Environmental aspects (4.3.1)
- External impacts from the organization
- QMS
- Nothing
25Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas
- ISMS Statement of Applicability (4.2.1. h)
- all requirements (applicable, not applicable, )
motivated
- EMS
- nothing
- QMS closest to Application (1.2)
- Requirements not applicable
26Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas
- ISMS Information security policy (4.2.1 b
4.2.3 b) - Characteristics of the business, the
organization, its location, assets and technology
(framework, business and legal reqs, etc.) - Review of meeting security policy and objectives
- EMS Environmental policy (4.2)
- Framework for Environmental Objectives and
Targets - (Published document)
- QMS Policy (5.3)
- Framework for Quality objectives
- Commitment to comply with requirements
- (Published document)
27Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas
- ISMS Business continuity plan (A.11)
- Planning for the continuity of the business
should anything happen (external or internal
incident)
- EMS Emergency preparedness and response (4.4.7)
- Avoid and minimize environmental impact caused by
the organization - QMS
- nothing
28Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas
- ISMS - all applicable laws, ...
- Compliance with legal requirements (A.12.1)
- EMS - applicable environmental laws
- Legal and other requirements (4.3.2)
Environmental aspects - QMS - all applicable laws
- Management responsibility (5.1)
- Customer focus (5.2)
- Identification of customer (product) requirements
(7.2.1)
29Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas
- ISMS Continual improvement (7.1) of the
effectiveness of the ISMS - Information security policy, security objectives,
audit results, analysis of monitored events,
corrective and preventive actions and management
review.
- EMS Environmental Policy (4.3.4)
- Continual improvement and prevention of pollution
(4.2) - QMS Continual improvement (8.5) of the QMS
30Similarities ISMS, EMS, QMSBusiness Management
System Focus Areas
- Management commitment - Policy Goal
- Organisation, incl. responsibility definition
- System structure
- Procedures
- Document control
- Records management
- Training
- Management review
- Internal audit
- Corrective and preventive action
31Differences ISMS, EMS, QMSBusiness Management
System Focus Areas
- Evaluation of the risk assessment and the
Statement of Applicability - Assessment of the operation of controls
- Verification of achievement of security
objectives - Validation of correct implementation of security
products - Verification of adherence to procedures
- thats not different
32Agenda
- Information Security Management System, ISMS
- Introduction to Business needs and advantages of
information security - Brief history and standards, ISO/IEC 177992000
and BS 7799-22002 - Implementation of an ISMS
- Risk management
- Process approach
- Accreditation and certification ISMS
- EA Guidelines
- ISMS Certification
- Comparison ISMS, ISO 90012000 and ISO 140011996
- Certification status in Sweden and other countries
33Reported on the www.xisec.com web site7799
certificates around the world
34CertificationISMS certification status in the
Nordic countries
- Finland
- 8 certificates as of 23rd of January 2003
- Norway
- 6 certificates as of 23rd of January 2003
- Sweden
- 4 certificates by April 2000 and nothing
afterwards - Denmark
- A different scheme altogether
- No certificates
35CertificationISMS certification status in other
countries
- UK
- 85 certificates as of 14th of February 2003
- Japan
- 21 certificates as of 23rd of January 2003
- India
- 10 certificates as of 14th of February 2003
- Korea
- 9 certificates as of 30th of September 2002
- Germany
- 8 certificates as of 16th of January 2003
- Italy
- 7 certificates as of 23rd of January 2003
- Singapore
- 7 certificates as of 16th of January 2003
36Agenda
- Information Security Management System, ISMS
- Introduction to Business needs and advantages of
information security - Brief history and standards, ISO/IEC 177992000
and BS 7799-22002 - Implementation of an ISMS
- Risk management
- Process approach
- Accreditation and certification ISMS
- EA Guidelines
- ISMS Certification
- Comparison ISMS, ISO 90012000 and ISO 140011996
- Certification status in Sweden and other
countries - Lessons learned
37Lessons learnedISMS experiences
- Norway
- ISMS certification driven by the Government
reduction on certification fee - Reduction on insurance premium if certified
- BBC (the payment central for the banks) is
certified - Smart card issuers focusing
- Health sector on its way
- Sweden
- Strong Technical Committee for BS 7799 chaired
by the security manager of the Swedish National
Bank not driving certification - Reduction on insurance premiums from one
insurance company - Health sector has adopted parts of BS 7799 and
issued it as a separate interpretation guide - Parts of the Swedish Military is adopting ISMS
(together with QMS, EMS, etc.) - Denmark
- Big international company trying to impact the
Accreditation Body to move to the BS 7799 scheme
38Lessons learnedISMS experiences in Sweden
- Low awareness focusing from authorities,
government, etc. - We trust each other, our employees and business
partners, and do not need protection - No one wants to hurt us
- We have nothing others are interested in
- Too much IT focus when implement the ISMS
- Consultants
- Focusing on ISO/IEC 17799
- Nothing mentioned about an ISMS
- Far too much documentation
- Lack of business focus
- Limited risk assessment
- Mostly lacking correct background and experiences
- Working on too low a level within companies
- Lack of business focus specifically in the area
of continuity planning - Too much focus on IT-security combined with the
thought that technical gadgets are the answer to
protection within a company i.e. smart cards,
firewalls, etc.
39Lessons learnedISMS experiences from Sweden
- Involve authorities, government, etc. in
awareness creation - Remember that
- Information security is not only IT-security
- Requirements and ISMS process model are described
in BS 7799-22002 - ISO/IEC 177992000 is a Best Practice that is,
guidelines - BS 7799-2 and ISO/IEC 17799 should be regarded as
an entity - Business focus is needed during implementation of
ISMS - specifically in the area of continuity planning
and risk analysis - More preparation time needed in mapping business
processes, risk analysis, etc. - Process focus for risk management is important.
- Choose consultants with correct competence should
help be needed - Money keeps the world going round
- S.I.A Spa, Italy, got their first multimillion
business from EU - ABB Facilities Management and C2 Management
contracts they would not have got otherwise - The strongest driving force is requirements from
clients
40Lessons learned - ISMS consultant and
auditorCompetence requirements
Consultant (s) Representatives from the company
- Audit team
- Auditor (s)
- Business Area expert
- Technical expert (s)
41Lessons learned - Business Management
SystemTotal competence requirement
- Team competence necessary to
- build, implement and follow up on a management
system - See competence requirement in EA 7/03, 7/02 and
7/01
42Lessons learnedAwareness creation
- Communication on the Internal web site
- Training in information security
- Newly employed
- Earlier employed
- Repeated
- Follow up on training
- Test
- Statistics
- Follow up on compliance
- Plan
- Do keep the business perspective in mind!!!
- Report highlight the business perspective!!!
- Walk through with stakeholders
- Actions if not OK ? escalate to top management
- Follow up on improvements
43Agenda
- Information Security Management System, ISMS
- Introduction to Business needs and advantages of
information security - Brief history and standards, ISO/IEC 177992000
and BS 7799-22002 - Implementation of an ISMS
- Risk management
- Process approach
- Accreditation and certification ISMS
- EA Guidelines
- ISMS Certification
- Comparison ISMS, ISO 90012000 and ISO 140011996
- Certification status in Sweden and other
countries - Lessons learned
- Future trends
- Further information
44Lessons learnedFuture trends
- High risk business areas focusing on ISMS
- Certificate Service Providers
- Health Sector
- Public Sector (24-hours Service to Citizens)
- Bank and Finance Sector
- Certification requirements on consultants
- Training in information security focusing on
certification of consultants - CISP, Certified Information Security Professional
- CISM, Certified Information Security Manager
(ISACA) - CISA, Certified Information Systems (ISACA)
- And others (without stating requirements)
- Adoptions of ISMS used in the regulated area
- EU Directives
- Etc.
45Information Security - 7799Further information
Contact Inger Nordin, Inger.Nordin_at_validation.nu
Public documentation
- Preparing for BS7799 Certification (PD3001)
- The Guide to BS7799 Risk Assessment and Risk
Management (PD3002) - Are you Ready for a BS7799 Audit? (PD3003)
- Guide to BS7799 Auditing (PD3004)
- Guide on selection of BS 7799 controls (PD3005)
- ISO/IEC 177992000 Information technology - Code
of practice for information security management - BS7799-22002 Information security management
systems - Specification with guidance for use - EA Guidelines 7/03
46Agenda
- Information Security Management System, ISMS
- Introduction to Business needs and advantages of
information security - Brief history and standards, ISO/IEC 177992000
and BS 7799-22002 - Implementation of an ISMS
- Risk management
- Process approach
- Accreditation and certification ISMS
- EA Guidelines
- ISMS Certification
- Comparison ISMS, ISO 90012000 and ISO 140011996
- Certification status in Sweden and other
countries - Lessons learned
- Future trends
- Further information