ISO27001 and 27002 - PowerPoint PPT Presentation


PPT – ISO27001 and 27002 PowerPoint presentation | free to view - id: 1285d8-NGM2Y


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

ISO27001 and 27002


ISO/IEC 27004 - a new standard for information security management measurements ... Malware, Trojans. Phishers. Spammers. Negligent staff. Storms, tornados, ... – PowerPoint PPT presentation

Number of Views:5306
Avg rating:3.0/5.0
Slides: 28
Provided by: kena159


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: ISO27001 and 27002

ISO27001 and 27002
  • Removing the Smoke Mirrors
  • Ken Anderson

  • History of ISO and Timeline
  • Overview of ISO 27000
  • Threats and Impacts ISO addresses
  • Objectives and benefits for measuring security
  • Best Practices

History of ISO - Timeline
  • 1992The Department of Trade and Industry (DTI),
    which is part of the UK Government, publish a
    'Code of Practice for Information Security
  • 1995This document is amended and re-published by
    the British Standards Institute (BSI) in 1995 as
  • 1996Support and compliance tools begin to
    emerge, such as COBRA. David Lilburn Watson
    becomes the first qualified certified BS7799
    ccure Auditor
  • 1999The first major revision of BS7799 was
    published. This included many major
    enhancements.Accreditation and certification
    schemes are launched. LRQA and BSI are the first
    certification bodies.

History of ISO The Timeline
  • 2000In December, BS7799 is again re-published,
    this time as a fast tracked ISO standard. It
    becomes ISO 17799 (or more formally, ISO/IEC
  • 2001The 'ISO 17799 Toolkit' is launched.
  • 2002A second part to the standard is published
    BS7799-2. This is an Information Security
    Management Specification, rather than a code of
    practice. It begins the process of alignment with
    other management standards such as ISO 9000.
  • 2005A new version of ISO 17799 is published.
    This includes two new sections, and closer
    alignment with BS7799-2 processes..
  • 2005ISO 27001 is published, replacing BS7799-2,
    which is withdrawn. This is a specification for
    an ISMS (information security management system),
    which aligns with ISO 17799 and is compatible
    with ISO 9001 and ISO 14001

Where did 17799 come from?
  • BS7799 was conceived, as a technology-neutral,
    vendor-neutral management system that, properly
    implemented, would enable an organization's
    management to assure itself that its information
    security measures and arrangements were
  • From the outset, BS7799 focused on protecting the
    availability, confidentiality and integrity of
    organizational information and these remain,
    today, the driving objectives of the standard.
  • BS7799 was originally just a single standard, and
    had the status of a Code of Practice. In other
    words, it provided guidance for organizations,
    but hadn't been written as a specification that
    could form the basis of an external third party
    verification and certification scheme.

Overview ISO 27000 (base standard)
  • Published standards
  • ISO/IEC 27001 - the certification standard
    against which organizations' ISMS may be
    certified (published in 2005)
  • ISO/IEC 27002 - the re-naming of existing
    standard ISO 17799 (last revised in 2005, and
    renumbered ISO/IEC 270022005 in July 2007)
  • ISO/IEC 27006 - a guide to the certification/regis
    tration process (published in 2007)
  • In preparation
  • ISO/IEC 27000 - a standard vocabulary for the
    ISMS standards
  • ISO/IEC 27003 - a new ISMS implementation guide
  • ISO/IEC 27004 - a new standard for information
    security management measurements
  • ISO/IEC 27005 - a proposed standard for risk
  • ISO/IEC 27007 - a guideline for auditing
    information security management systems
  • ISO/IEC 27011 - a guideline for
    telecommunications in information security
    management system
  • ISO/IEC 27799 - guidance on implementing ISO/IEC
    27002 in the healthcare industry

ISO/IEC 27001
  • ISO/IEC 27001 certification usually involves a
    three-stage audit process
  • Stage 1 is a "table top" review of the existence
    and completeness of key documentation such as the
    organization's security policy, Statement of
    Applicability (SoA) and Risk Treatment Plan
  • Stage 2 is a detailed, in-depth audit involving
    testing the existence and effectiveness of the
    information security controls stated in the SoA
    and RTP, as well as their supporting
  • Stage 3 is a follow-up reassessment audit to
    confirm that a previously-certified organization
    remains in compliance with the standard.
    Certification maintenance involves periodic
    reviews and re-assessments to confirm that the
    ISMS continues to operate as specified and

ISO/IEC 27002
  • ISO/IEC 27002 provides best practice
    recommendations on IS security management systems
  • The standard contains the following twelve main
  • Risk Assessment determining asset vulnerability
  • Security Policy - management direction
  • Organization of Information Security - governance
    of information security
  • Asset Management - inventory and classification
    of information assets
  • Human Resources Security - security aspects for
    employees joining, moving and leaving an
  • Physical and Environmental Security - protection
    of the computer facilities

ISO/IEC 27002
  • 7. Communications and Operations Management -
    management of technical security controls
  • 8. Access Control - restriction of access rights
    to networks, systems, applications, functions and
  • 9. Information Systems Acquisition, development
    and maintenance - building security into
  • 10. Information Security Incident Management -
    anticipating and responding appropriately to
    security breaches
  • 11. Business Continuity Management - protecting,
    maintaining and recovering business-critical
    processes and systems
  • 12. Compliance - ensuring conformance with
    information security policies, standards, laws
    and regulations

ISO/IEC 27002
  • Within each section, information security
    controls and their objectives are specified and
  • Specific controls are not mandated since
  • Each organization is expected to undertake a
    structured information security risk assessment
    process to determine its specific requirements
    before selecting controls that are appropriate to
    its particular circumstances.
  • It is practically impossible to list all
    conceivable controls in a general purpose
    standard. Industry-specific implementation
    guidance for ISO/IEC 27001 and 27002 are
    anticipated to give advice tailored to
    organizations in the telecomms, financial
    services, healthcare, lotteries and other

  • ISO 27002 Summary
  • (Eye Test)

(No Transcript)
Information security threats of 2008
  • CISSP / ISO27k implementers forum identifies the
    following threats
  • Imposition of legal and regulatory obligations.
  • Cyber-criminals
  • Malware, Trojans
  • Phishers
  • Spammers
  • Negligent staff
  • Storms, tornados, floods - Acts of God
  • Hackers
  • Unethical Employees who misuse/misconfigure
    system security functions
  • Unauthorized access, modification, disclosure of,
    information assets
  • Nations attacking critical information
    infrastructures to cause disruption.
  • Technical advances that can render encryption
    algorithms obsolete

Information security impacts
  • Resulting information security incidents can
  • Disruption to organizational routines and
  • Direct financial losses through information theft
    and fraud
  • Decrease in shareholder value
  • Loss of privacy
  • Reputational damage causing brand devaluation
  • Loss of confidence in IT
  • Expenditure on information security assest and
    data damaged, stolen, corrupted or lost in
  • Loss of competitive advantage
  • Reduced profitability
  • Impaired growth due to inflexible
    infrastructure/system/application environments
  • Injury or loss of life if safety-critical systems

Objectives of measuring security
  • So what are the objectives of measuring security?
  • To show ongoing improvement
  • To show compliance (with Standards, contracts,
    SLAs, OLAs, etc)
  • To justify any future expenditure (new security
    software, training, people, etc)
  • ISO 27001 certification requires it. Other
    Management Systems also require it ISO 9001,
    ISO 20000
  • To identify where implemented controls are not
    effective in meeting their objectives
  • To provide confidence to senior management and
    stakeholders that implemented controls are

Benefits of measuring security
  • So what are the benefits of measuring security?
  • Actually eases process of monitoring the
    effectiveness of the ISMS (e.g. less labor
    intensive, for example, if using tools, and
    provides a means of self checking)
  • Proactive tools to measure / prevent problems
    arising at a later date (e.g. network
    bottlenecks, disk clutter, development of poor
    human practices)
  • Reduction of incidents, etc
  • Motivates staff when senior management set
  • Tangible evidence to auditors, and assurance to
    senior management that you are in control i.e.
    Corporate Information Assurance (Corporate
    Governance), and top down approach to Information

What should be measured
  • They have been broken down into the following
  • Management Controls Security Policy, IT
    Policies, Security Procedures, Business
    Continuity Plans, Security Improvement Plans,
    Business Objectives, Management Reviews
  • Business Processes Risk Assessment Risk
    Treatment Management Process, Human Resource
    Process, SOA selection process, Media Handling
  • Operational Controls Operational Procedures,
    Change Control, Problem Management, Capacity
    Management, Release Management, Back up, Secure
    Disposal, Equipment off site
  • Technical Controls Patch Management, Anti-Virus
    Controls, IDS, Firewall, Content Filtering

What needs to be measured?
  • Measurement can be achieved against
  • A particular security control or objective
  • A group of controls
  • Against main controls within a Standard
  • Specific controls within an IT component.

Process for deciding which controls should be
  • First, you need to
  • Confirm relevance of controls through risk
  • Define objectives, ensuring they map back to the
  • Use existing Indicators wherever possible, e.g.
    in ITIL terms, KPIs
  • A KPI helps a business define progress towards a
    particular goal
  • KPIs are measurements critical to the success of
    the business.
  • Within the ISMS audit framework, identify
    controls which can be continuously monitored,
    using chosen technique
  • Before using any tools, confirm the objectives
    with senior managers as well as staff.
    Corroborate with third parties, or through
    SLAs/OLAs where internal third parties are
    concerned e.g. ISO15000 (ITIL)

Process for deciding which controls should be
  • Establish a baseline, against which all future
    measurements can be contrasted/compared
  • Provide periodic reports to appropriate
    management forum/ISMS owners (show graphs,
    pictures paint a thousand words)
  • Identify Review Input agreed recommendations,
    corrective actions, etc
  • Implement improvements within your Integrated
    Management Systems (IMS) e.g. merged ISOs 9001,
    14000, 27001, 20000
  • Establish/agree new baseline, review the output,
    apply the PDCA approach (Plan Do Check

Measuring the effectiveness of Security
Apply the vulnerability management lifecycle...
  • Prioritize based on vulnerability data, threat
    data, and asset classification plan
  • Inventory assets
  • Identify vulnerabilities
  • Develop baseline
  • Monitor known vulnerabilities
  • Watch unpatched systems
  • Alert other suspicious activity
  • Eliminate high-priority vulnerabilities
  • Establish controls
  • Demonstrate progress

Regulatory Concerns why look at ISO
  • A lot to worry about
  • FOIP
  • Government concerns (e.g. Systrust, GCCR)
  • Payment Card Industry (PCI)
  • CSOX (Bill 198)
  • NERC (Electric Regulatory)
  • Cross border regulations (HIPPA, GLBA)
  • ISA SP 99 (Future Industrial Standard?)
  • There will be more to follow ..

Why Best Practices are Important!
  • Today, the effective use of best practices can
    help avoid re-inventing wheels, optimize the use
    of scarce IT resources and reduce the occurrence
    of major IT risks, such as
  • Project failures
  • Wasted investments
  • Security breaches
  • System crashes
  • Failures by service providers to understand and
    meet customer requirements

Why Best Practices are Important!
  • COBIT, ITIL and ISO 17799 are valuable to the
    ongoing growth and success of an organization
  • Companies are demanding better returns from IT
  • Best practices help meet regulatory requirements
    for IT controls
  • Organizations face increasingly complex
    IT-related risks
  • Organizations can optimize costs by standardizing
  • Best practices help organizations assess how IT
    is performing
  • Management of IT is critical to the success of
    enterprise strategy
  • They help enable effective governance of IT
  • A management framework helps staff understand
    what to do (policy, internal controls and defined
  • They can provide efficiency gains, less reliance
    on experts, fewer errors, increased trust from
    business partners and respect from regulators

  • ISO started as a management system
  • ISO 17799 (BS7799) has become a defacto IT
  • ISO 27000 takes standards to a new level
  • Most organizations are using or looking at the
    standard for help
  • Many more uses down the road

ISO 27000 Reference Links
  • http//
  • http//
  • http//
  • http//
  • http//
  • http//
  • http//
  • http//
  • http//www.information-security-policies-and
  • http//