ISO/IEC 27001 Standard for Information Security Management - PowerPoint PPT Presentation

Loading...

PPT – ISO/IEC 27001 Standard for Information Security Management PowerPoint presentation | free to download - id: 3ae790-ZjJkY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

ISO/IEC 27001 Standard for Information Security Management

Description:

ISO/IEC 27001 Standard for Information Security Management Systems Information Security Requirements ISO 27001 specifications ISO 27002 code of practise Download from ... – PowerPoint PPT presentation

Number of Views:1635
Avg rating:3.0/5.0
Slides: 13
Provided by: technicalc3
Learn more at: http://www.technical-communicators.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: ISO/IEC 27001 Standard for Information Security Management


1
ISO/IEC 27001
  • Standard for Information Security Management
    Systems

2
Information Security Requirements
  • ISO 27001 specifications
  • ISO 27002 code of practise
  • Download from BSI website http//17799.standards
    direct.org
  • Information Security Forum (ISF) publish the 2007
    Standard of Good Practise (SoGP)

3
Process
  • A) Identify information security risks threats,
    vulnerabilities and impacts
  • B) Design/implement information security
    controls risk management - risk avoidance/risk
    transfer
  • C) Maintain security policy/adopt management
    process

4
ISMS
  • Information Security Management System
  • Broad set of general and IT-specific policies and
    controls that span the organisation
  • Include IT, HR, management, business continuity,
    incident management and other business
    functions/areas

5
Examples
  • Teleworking/home working access to data
  • Training staff on information security issues
    and procedures
  • Recruitment security checks,
  • Data retention policies how long, where stored,
    how backups are made, who can assess
  • Staff roles security permissions, access to
    sensitive information
  • Access to data by third parties and suppliers

6
Certification process
  • Stage 1 - informal review of security
    documentation
  • Stage 2 - formal and detailed compliance audit
  • Stage 3 - Follow-up reviews and audits

7
Security Documents
  • Security policy document
  • Statement of Applicability (SoA)
  • Risk Treatment Plan (RTP)
  • Not all requirements in ISO 27001 are mandatory.
    You can also define the scope to be covered by
    the security policy

8
Mandatory requirements
  • Define scope
  • Define ISMS policy
  • Define roles and responsibilities
  • Define the risk assessment approach criteria
    for accepting risk
  • Define a level of acceptability of risk
  • List assets define owners
  • Identify threats, vulnerabilities, impact,
    likely-hood and risk for each asset

9
Mandatory requirements
  • Estimate levels of risk and define if risks are
    acceptable or not
  • Define risk options (accept, transfer, avoid or
    reduce) for risks that are not acceptable
  • List controls to implement
  • Manage lifecycle of documentation
  • Obtain management approval of residual risks and
    for implementation plan
  • Manage resources

10
Mandatory requirements
  • Manage communications
  • Implement controls
  • Implement metric for each control
  • Monitor performance of the controls
  • Review effectiveness of the controls
  • Corrective actions
  • Preventive actions
  • Internal audits
  • Management reviews
  • Write statement of applicability

11
ISMS Project Plan
  • Identify documents and procedures required by ISO
    27001Locate templates and forms
  • List activities to implement security plan
    define scope gap analysis, asset
    identification, risk assessment, SOA, policies,
    business continuity, internal audit

12
Thank you
  • We appreciate your interest in CTC
  • Tel 44 0870 803 2095
  • Email info_at_technical-communicators.com
  • Web www.technical-communicators.com
About PowerShow.com