ISOIEC 27001 Information Security Management Systems presented by Sam Weissfelner - PowerPoint PPT Presentation


PPT – ISOIEC 27001 Information Security Management Systems presented by Sam Weissfelner PowerPoint presentation | free to view - id: 14b78a-ZTZhY


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

ISOIEC 27001 Information Security Management Systems presented by Sam Weissfelner


That part of the overall management system, based on a ... Each company surveyed parted with an average $4.7 million in payouts and lost business in total ... – PowerPoint PPT presentation

Number of Views:1038
Avg rating:3.0/5.0
Slides: 36
Provided by: sdebene


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: ISOIEC 27001 Information Security Management Systems presented by Sam Weissfelner

ISO/IEC 27001Information SecurityManagement
Systemspresented by Sam Weissfelner
  • Adding Value To Your Business

The CSA Group
About QMI
  • Established in 1984
  • Largest registrar in North America
  • Technical expertise recognized globally
  • Offices throughout the world
  • Offer training services
  • Our purpose is to help businesses get better

. . . What does this mean to you?
We act with integrity to advance business
excellence, employing our knowledge, experience
and client focus to make standards work 3
Extensive Knowledge
  • QMI is a Premiere Registrar that is
  • Direct link to one of the Worlds Leading
    Standard Bodies, CSA
  • Participation on prestigious technical committees
    that write standards such as ISO 9001
  • Involved with many accreditation and oversight
  • Brand is recognized around the World

International Organization for Standardization
  • Credible
  • Established in 1947
  • Published over 16,077 international standards
  • ISO meetings attract some 30,000 experts a year
  • Decentralized
  • Federation comprised of 156 national standards
  • National member bodies manage development work
  • Consensus-based
  • ISO standards are consensus based

Management systems
  • Management systems are just thatsystems to
    manage a particular area or areas within an
  • For instance, often companies have many
    management systems (e.g. quality, health
    safety, environment, finance, and, most recently,
    security of their IS system)

Management systems
  • In 1987, ISO 9001, a quality management system
    (QMS), was first published to provide a standard
    for managing the quality of an organizations
    product (based on manufacturing, initially, with
    service being factored into the revisions issued
    in 1994 and then again in 2000)
  • In 1996, ISO 14001, an environmental management
    system (EMS) was born, with a revision in 2004
  • There are over 10,000 standards, but the most
    well-known ones are the management system
    standards, of which, ISO 27001, is one

What is an ISMS?
  • Information Security Management System
  • Strategic decision of an organization
  • Design and implementation
  • Needs and objectives
  • Security requirements
  • Processes employed
  • Size and structure of the organization
  • Scaled with needs simple situation requires a
    simple ISMS solution

Strategic Decision
  • Adoption of an ISMS should be a strategic
  • Design and implementation is influenced by the
    organizations needs and objectives, security
    requirements, the processes employed and the size
    and structure of the organization
  • Scale the system in accordance with your needs,
    which may well change (simple situationsimple
    ISMS solution complex situationcomplex ISMS

Introduction ISO 27001 ISMS
  • ISO 27001 has been prepared to provide a model
  • Establishing
  • Implementing
  • Operating
  • Monitoring
  • Reviewing
  • Maintaining
  • and improving
  • an Information Security Management System (ISMS)

Process Approach
  • ISO 27001 has adopted a Process Approach, which
    means an organization needs to identify and
    manage many activities in order to function
  • Any activity using resources and managed in order
    to enable the transformation of Inputs into
    Outputs, can be considered to be a Process
  • Inputs gtgtgtgtgtgtgt Process gtgtgtgtgtgtgt outputs
  • Often, outputs from one process provide inputs
    into the next

Process Approach contd
  • Process approach for ISMS encourages users to
    emphasize the importance of
  • a) understanding an organizations information
    security requirements and the need to establish
    POLICY and OBJECTIVES for information security
  • b) implementing and operating CONTROLS to manage
    an organizations information security risks in
    the context of the organizations overall
    business risks
  • c) monitoring and reviewing the performance and
    effectiveness of the ISMS, and
  • d) CONTINUAL IMPROVEMENT based on objective

  • Plan, Do, Check, Act is to be applied to
    structure all ISMS processes
  • Figure 1 on the next slide illustrates how an
    ISMS takes the information security requirements
    and expectations of the interested parties and,
    through the necessary actions and processes,
    produces information security outcomes that meets
    those requirements and expectations

Model of an ISMS
Management System Comparisons
EMS is defined as Part of an organizations
management system used to develop and implement
its environmental policy and manage its
environmental aspects ISO 140012004
QMS is defined as Management system to direct
and control an organization with regard to
quality ISO 90012000
ISMS is defined as That part of the overall
management system, based on a business risk
approach, to establish, implement, operate,
monitor, review, maintain and improve information
security ISO 270012005
Management System Comparisons
ISO 27001 Information Security Management
System ISO/IEC JTC 1, Information Technology,
subcommittee SC 27, IT Security techniques
Voluntary Standard MandatoryRequirements Focus
on Performance,Systems Documentation
ISO 14001 Environmental Management System TC
207 Voluntary Standard MandatoryRequirem
ents Focus on Performance,Systems
ISO 9001 Quality Management System TC 176
Voluntary Standard MandatoryRequirements
Focus on Performance,Systems
Business Case for an ISMS

Business Case for ISMS
  • Recent Breaches
  • Winners/HomeSense Up to 4 Million - customer
    information Dec 2006
  • CIBC 470,000 customer information Dec 2006
  • Boeing - 382 Current and Former Employees - Dec
  • UCLA 800,000 people Dec 2006
  • Starbucks 40,000 current and former employees
    Nov 2006
  • Ontario Science Centre customer name on
    Notebook Nov 2006
  • GE 50,000 employee names Oct 2006
  • BC Government 250,000 BC residents Oct 2006
  • Wells Fargo Numbers not disclosed Oct 2006

Business Case for ISMS
  • Study Shows - Most common source of data leaks
  • Lost or stolen laptops, Personal Digital
    Assistants or memory sticks/thumb drives - 45 of
    all incidents studied
  • Records lost by third-party business partners or
    outsourcing companies 29
  • Misplaced or stolen back up file 26
  • Lost or stolen paper records 13
  • Usage of malware (spyware) programs - 10
  • U.S. Companies that reported a breach.
  • Ponemon Data Breach Study October 2006 (US)

Business Case for ISMS
  • Study Shows - Poor Protection
  • 72 of the breaches occurred because the
    information was not properly protected, while
  • 14 occurred because of malicious or insider
  • 14 other
  • U.S. Companies that reported a breach.
  • Ponemon Data Breach Study October 2006 (US)

Business Case for ISMS
  • Study Shows Breaches Have High-Costs
  • Data breach losses cost U.S. companies an average
    of 182 per compromised record in 2006 compared
    to 138 per record in 2005,  an increase of 31
  • Approximately 128 of the cost per compromised
    record is related to indirect fallout, such as
    higher than normal customer turnover
  • Each company surveyed parted with an average 4.7
    million in payouts and lost business in total
  • Ponemon Data Breach Study October 2006 (US)

Business Case for ISMS
  • Study Shows Breaches have High Operational
  • Expenses related to notifying customers, business
    partners and regulators were an average of
    660,000 per company
  • U.S. companies paid almost 300,000 on average to
    investigate data leaks
  • Costs related to setting up customer hotlines,
    offering credit monitoring services were just
    over 1.24 million on average
  • U.S. companies lost an average of 98 per record
    in business in the 2006 study compared to 75 per
    record lost in 2005
  • Ponemon Data Breach Study October 2006 (US)

Business Case for ISMS
  • Canadian Comparison - Security Statistics
  • 67 of Canadian organizations engage both
    business and IT decision-makers in addressing
    information security issues vs. 52 world wide
  • 37 of respondents report having an overall
    security strategy in place
  • 48 of organizations have increased security
    budgets in 2006
  • 21 of respondents indicated that their IT
    security budgets were separate from the overall
    IT budget
  • 43 of respondents were not at all or only
    somewhat confident in their outsourcers security
    and just 20 were very confident
  • 61 of Canadian respondents have limited or no
    security training for their employees
  • 33 of Canadian companies report that their
    physical and IT security functions report to the
    same executive vs. 40 globally
  • 2006 Global State of Information Security (GSIS)
    survey September 2006

Sources of Information
Security Threats
  • Computer-assisted fraud
  • Espionage (Industrial)
  • Sabotage
  • Vandalism
  • Fire or Flood
  • Employees
  • Hacking, Worms, Viruses
  • Addition of new technology
  • NOTE Source ISO/IEC 177992005 Section 0.2

Information as an Asset
  • Information is
  • An asset that, like other important business
    assets, is essential to an organizations
    business and consequently needs to be suitably
  • Source ISO/IEC 179992005 Section 0.1
  • Asset Definition
  • anything that has value to the organization
  • Source ISO/IEC 270012005, 3.1

Information Security
  • Information Security Definition
  • preservation of confidentiality, integrity and
    availability of information in addition, other
    properties, such as authenticity, accountability,
    non-repudiation, and reliability can also be
  • Source ISO/IEC 270012005

Confidentiality, Integrity, Availability
Privacy Risks and Threats
Business Case for ISMS
  • Loss of business
  • Loss of brand equity
  • Need for breach notifications (costly)
  • Loss of productivity and increase call centre
    operations (greater number of complaints)
  • Cost to repair and add additional controls
  • Litigation
  • Fines
  • Violation of contractual requirements and the
    potential loss of customer contracts

Business Case for
ISO/IEC 27001
  • The goal of ISO 27001 is to
  • Provide the standard for Information Security
    Management Systems
  • Consists of 11 control sections, 39 control
    objectives, and 133 controls
  • Provide the base for third-party recognition
  • ISO 27001 Registrations/Certifications
    demonstrate conformance to the standard

Annex A
  • Application of controls in Annex A is mandatory.
    Reasons for selection exclusions must be
    explained in the Statement of Applicability
    (4.2.1j )
  • A. 5 Security policy
  • A. 6 Organization of information security
  • A. 7 Asset management
  • A. 8 Human resources security
  • A. 9 Physical and environmental security
  • A.10 Communications and operations management
  • A.11 Access control
  • A.12 Information systems acquisition,
    development and maintenance
  • A.13 Information security incident management
  • A.14 Business continuity management
  • A.15 Compliance

Additional benefits of
implementing an ISO 27001 system
  • Provides the means for information security
    corporate governance and legal compliance
  • Provides for a market differentiator
  • Focus of staff responsibilities and create
    security awareness
  • Enforcement of policies and procedures

Thank You!To contact QMI clientservices_at_qmi.c
Question Answer Session