Accreditation and certification ISMS EA Guidelines for ISMS Certification process

1
Accreditation and certification ISMSEA
Guidelines for ISMSCertification process

• Inger Nordin

2
Agenda

• Information Security Management System, ISMS
• Introduction to Business needs and advantages of
  information security
• Brief history and standards, ISO/IEC 177992000
  and BS 7799-22002
• Implementation of an ISMS
• Risk management
• Process approach
• Accreditation and certification ISMS
• EA Guidelines
• ISMS Certification
• Comparison ISMS, ISO 90012000 and ISO 140011996
• Certification status in Sweden and other
  countries
• Lessons learned
• Future trends
• Further information

3
ISMS certificationReasons for seeking
Certification
BSI-DISC survey 1999 in co-operation with Admiral
Plc.

Other reasons quoted for seeking Certification
include To show compliance with the new Data
Protection Act To be able to request compliance
from other organisations To facilitate
compliance with best practice framework
4
Accreditation of CBs

• SWEDAC technical committee for ISMS
• EN 450121998
• EA-7/03 Guidelines for the Accreditation of
  bodies operating certification/registration of
  Information Security Management Systems
• STAFS 20022
• BS 7799-22002

5
EA 7/03Requirements for the Certification Body
IS 1 - Scope IS 2 - Impartiality IS 3 -
Management competence IS 4 - Auditor
competence IS 5 - Audit Team competence IS 11 -
Certification decision IS 12 - Reporting by
Audit teams to the CB IS 13 - Decision taking,
in relation to the certification function

6
EA 7/03Requirements for the Certification Audit
IS 6 - Access to personal records IS 7 -
Statement of Applicability IS 8 - Scope of
certification IS 9 - Audit Methodology IS 10 -
Specific Elements of the ISMS Audit IS 14 -
Surveillance audits and reassessments

7
EA 7/03IS6 - Access to personnel records

• The certification body shall make clear to the
  customer its need to have access to the personnel
  register
• The customer shall create opportunities for
  access to necessary information
• Agreement at contract sign

8
EA 7/03IS7 - Statement of Applicability

• The client shall have prepared a Statement of
  Applicability relevant for the organisation
• all of the requirements of the standard (part 2)
  shall be defined (applicable or not applicable)
• additional controls might be needed from other
  requirements in the business
• The Statement of Applicability shall be a part of
  the audit teams working document - the roadmap

9
BS 7799-220024.2.1 h) Prepare a Statement of
applicability

• Selection of controls and control objectives in
  4.2.1 g)
• Reasons for selection
• Also exclusion of controls objectives and
  controls listed in Annex A

Based on the RISK ASSESSMENT like everything
else!

10
BS 7799-22002 - 4.2.1 h) Statement of
Applicability
Plan
Act
Do

• Cross references to other standards in the
  organisation

Check

• Statement of fulfilment, non-fulfilment together
  with non-applicability of BS 7799-2

• Specific organisational details on top of the
  requirements in the standard

Example
A.4.2.2 Security requirements in third-party
contracts - We do not have anyone outside of the
company that requires access hence this is not
applicable to us.

A.5.2.2 Information labelling and handling -
Requirement from HMG that we shall follow
government guidelines, document ref. XYZ
11
EA 7/03IS8 - Scope of certification

• The organisation should define the scope of the
  Information Security Management System (ISMS)
• Interfaces/delimitations should be identified and
  included in the risk assessment i.e. shared
  site
• The certification body shall secure that the risk
  assessments are relevant and mirror the business
  area for the chosen scope

12
EA 7/03IS9 - Audit Methodology

• Certification of Information Security Management
  System shall be in two steps
• The goal with step 1 is to get insight in the
  management system to evaluate if the ISMS is
  implemented and ready for the certification audit

13
EA 7/03IS10 - Specific Elements of the Audit

• The organisation shall have a process for
  assessment of threats, vulnerabilities and
  consequences on the organisationen
• Controls shall have been implemented to secure
  vital assets
• The certification body shall verify that the
  level is relevant according to
• the business area for the organisation
• the environment in which the business is conducted

14
EA 7/03IS14 - Surveillance audits

• Surveillance audits at yearly basis
• semi-annual, every nine months or once a year
• Audit methodology - the same as during a
  certification audit
• Surveillance audits may be combined with audits
  of other management systems whereby the complete
  business management system is audited at the same
  time

15
ISMS certificationWhen can certification take
place?
Awareness creation

16
ISMS certificationInitial Audit Process
Follow-up Activity
17
ISMS certificationSteps in the initial audit
process
18
ISMS certificationThe risk assessment is the
focal point
19
The auditors checklist to Risk assessment -
evaluation

• Method

• Process
• System/feed-back/repeatability
• Traceability
• Support
• Understanding

• Implementation

• Systematic
• Complete
• Competence requirements (education training)
• Participation
• Management commitment

• Relevance

• Security policy
• Business objectives
• External impacting factors i. e. laws, location

20
Internal audits/CertificationCo-ordination with
other audits

• Quality Management System

• Environmental Management System

• Occupational Health and Safety Management System

• Information Security Management System

A SINGLE BUSINESS MANAGEMENT SYSTEM

An audit TEAM
21
ISMS CertificationBenefits of certification

• Enhanced corporate image
• Accountability / re-assurance
• Drives forward improvement process
• Ensures management commitment
• Positive response from potential customers
• Can be part of Integrated approach
  9001/14001/ISMS
• Staff motivation

22
Agenda

• Information Security Management System, ISMS
• Introduction to Business needs and advantages of
  information security
• Brief history and standards, ISO/IEC 177992000
  and BS 7799-22002
• Implementation of an ISMS
• Risk management
• Process approach
• Accreditation and certification ISMS
• EA Guidelines
• ISMS Certification
• Comparison ISMS, ISO 90012000 and ISO 140011996

23
Management Systems 6 focal areas - differences

• BS 7799-22002 ISO 140011996 ISO 90012000
• Risk Assessment Environmental aspects -
• Statement of - (no) Application
  (1.2)Applicability 4.2.1.h)
• Policy Policy Policy - Framework for setting
  - Framework for - Framework for objectives
  and establish Environmental Objectives
  Quality Objectives overall sense of direction
  and Targets - Commitment to comply - Monitor
  and review with Requirements
• Business Continuity Emergency
  Preparedness -Management (A.11) and Response
  (4.4.7)
• Legal Reqs - ALL Legal Reqs -
  Environmental Legal Reqs - ALL
• Continual improvement of Continual
  improvement Continual improvement the
  effectiveness of the and prevention of of the
  QMS (8.5.1) ISMS (7) pollution (4.2)
• EA 7/03 EA 7/02 EA 7/01

24
Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas

• EMS closest to Environmental aspects (4.3.1)
• External impacts from the organization
• QMS
• Nothing

25
Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas

• ISMS Statement of Applicability (4.2.1. h)
• all requirements (applicable, not applicable, )
  motivated

• EMS
• nothing
• QMS closest to Application (1.2)
• Requirements not applicable

26
Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas

• ISMS Information security policy (4.2.1 b
  4.2.3 b)
• Characteristics of the business, the
  organization, its location, assets and technology
  (framework, business and legal reqs, etc.)
• Review of meeting security policy and objectives

• EMS Environmental policy (4.2)
• Framework for Environmental Objectives and
  Targets
• (Published document)
• QMS Policy (5.3)
• Framework for Quality objectives
• Commitment to comply with requirements
• (Published document)

27
Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas

• ISMS Business continuity plan (A.11)
• Planning for the continuity of the business
  should anything happen (external or internal
  incident)

• EMS Emergency preparedness and response (4.4.7)
• Avoid and minimize environmental impact caused by
  the organization
• QMS
• nothing

28
Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas

• ISMS - all applicable laws, ...
• Compliance with legal requirements (A.12.1)

• EMS - applicable environmental laws
• Legal and other requirements (4.3.2)
  Environmental aspects
• QMS - all applicable laws
• Management responsibility (5.1)
• Customer focus (5.2)
• Identification of customer (product) requirements
  (7.2.1)

29
Comparison ISMS, EMS, QMSBusiness Management
System Focus Areas

• ISMS Continual improvement (7.1) of the
  effectiveness of the ISMS
• Information security policy, security objectives,
  audit results, analysis of monitored events,
  corrective and preventive actions and management
  review.

• EMS Environmental Policy (4.3.4)
• Continual improvement and prevention of pollution
  (4.2)
• QMS Continual improvement (8.5) of the QMS

30
Similarities ISMS, EMS, QMSBusiness Management
System Focus Areas

• Management commitment - Policy Goal
• Organisation, incl. responsibility definition
• System structure
• Procedures
• Document control
• Records management
• Training
• Management review
• Internal audit
• Corrective and preventive action

31
Differences ISMS, EMS, QMSBusiness Management
System Focus Areas

• Evaluation of the risk assessment and the
  Statement of Applicability
• Assessment of the operation of controls
• Verification of achievement of security
  objectives
• Validation of correct implementation of security
  products
• Verification of adherence to procedures
• thats not different

32
Agenda

• Information Security Management System, ISMS
• Introduction to Business needs and advantages of
  information security
• Brief history and standards, ISO/IEC 177992000
  and BS 7799-22002
• Implementation of an ISMS
• Risk management
• Process approach
• Accreditation and certification ISMS
• EA Guidelines
• ISMS Certification
• Comparison ISMS, ISO 90012000 and ISO 140011996
• Certification status in Sweden and other countries

33
Reported on the www.xisec.com web site7799
certificates around the world
34
CertificationISMS certification status in the
Nordic countries

• Finland
• 8 certificates as of 23rd of January 2003
• Norway
• 6 certificates as of 23rd of January 2003
• Sweden
• 4 certificates by April 2000 and nothing
  afterwards
• Denmark
• A different scheme altogether
• No certificates

35
CertificationISMS certification status in other
countries

• UK
• 85 certificates as of 14th of February 2003
• Japan
• 21 certificates as of 23rd of January 2003
• India
• 10 certificates as of 14th of February 2003
• Korea
• 9 certificates as of 30th of September 2002
• Germany
• 8 certificates as of 16th of January 2003
• Italy
• 7 certificates as of 23rd of January 2003
• Singapore
• 7 certificates as of 16th of January 2003

36
Agenda

• Information Security Management System, ISMS
• Introduction to Business needs and advantages of
  information security
• Brief history and standards, ISO/IEC 177992000
  and BS 7799-22002
• Implementation of an ISMS
• Risk management
• Process approach
• Accreditation and certification ISMS
• EA Guidelines
• ISMS Certification
• Comparison ISMS, ISO 90012000 and ISO 140011996
• Certification status in Sweden and other
  countries
• Lessons learned

37
Lessons learnedISMS experiences

• Norway
• ISMS certification driven by the Government
  reduction on certification fee
• Reduction on insurance premium if certified
• BBC (the payment central for the banks) is
  certified
• Smart card issuers focusing
• Health sector on its way
• Sweden
• Strong Technical Committee for BS 7799 chaired
  by the security manager of the Swedish National
  Bank not driving certification
• Reduction on insurance premiums from one
  insurance company
• Health sector has adopted parts of BS 7799 and
  issued it as a separate interpretation guide
• Parts of the Swedish Military is adopting ISMS
  (together with QMS, EMS, etc.)
• Denmark
• Big international company trying to impact the
  Accreditation Body to move to the BS 7799 scheme

38
Lessons learnedISMS experiences in Sweden

• Low awareness focusing from authorities,
  government, etc.
• We trust each other, our employees and business
  partners, and do not need protection
• No one wants to hurt us
• We have nothing others are interested in
• Too much IT focus when implement the ISMS
• Consultants
• Focusing on ISO/IEC 17799
• Nothing mentioned about an ISMS
• Far too much documentation
• Lack of business focus
• Limited risk assessment
• Mostly lacking correct background and experiences
• Working on too low a level within companies
• Lack of business focus specifically in the area
  of continuity planning
• Too much focus on IT-security combined with the
  thought that technical gadgets are the answer to
  protection within a company i.e. smart cards,
  firewalls, etc.

39
Lessons learnedISMS experiences from Sweden

• Involve authorities, government, etc. in
  awareness creation
• Remember that
• Information security is not only IT-security
• Requirements and ISMS process model are described
  in BS 7799-22002
• ISO/IEC 177992000 is a Best Practice that is,
  guidelines
• BS 7799-2 and ISO/IEC 17799 should be regarded as
  an entity
• Business focus is needed during implementation of
  ISMS
• specifically in the area of continuity planning
  and risk analysis
• More preparation time needed in mapping business
  processes, risk analysis, etc.
• Process focus for risk management is important.
• Choose consultants with correct competence should
  help be needed
• Money keeps the world going round
• S.I.A Spa, Italy, got their first multimillion
  business from EU
• ABB Facilities Management and C2 Management
  contracts they would not have got otherwise
• The strongest driving force is requirements from
  clients

40
Lessons learned - ISMS consultant and
auditorCompetence requirements
Consultant (s) Representatives from the company

• Audit team
• Auditor (s)
• Business Area expert
• Technical expert (s)

41
Lessons learned - Business Management
SystemTotal competence requirement

• Team competence necessary to
• build, implement and follow up on a management
  system
• See competence requirement in EA 7/03, 7/02 and
  7/01

42
Lessons learnedAwareness creation

• Communication on the Internal web site
• Training in information security
• Newly employed
• Earlier employed
• Repeated
• Follow up on training
• Test
• Statistics
• Follow up on compliance
• Plan
• Do keep the business perspective in mind!!!
• Report highlight the business perspective!!!
• Walk through with stakeholders
• Actions if not OK ? escalate to top management
• Follow up on improvements

43
Agenda

• Information Security Management System, ISMS
• Introduction to Business needs and advantages of
  information security
• Brief history and standards, ISO/IEC 177992000
  and BS 7799-22002
• Implementation of an ISMS
• Risk management
• Process approach
• Accreditation and certification ISMS
• EA Guidelines
• ISMS Certification
• Comparison ISMS, ISO 90012000 and ISO 140011996
• Certification status in Sweden and other
  countries
• Lessons learned
• Future trends
• Further information

44
Lessons learnedFuture trends

• High risk business areas focusing on ISMS
• Certificate Service Providers
• Health Sector
• Public Sector (24-hours Service to Citizens)
• Bank and Finance Sector
• Certification requirements on consultants
• Training in information security focusing on
  certification of consultants
• CISP, Certified Information Security Professional
• CISM, Certified Information Security Manager
  (ISACA)
• CISA, Certified Information Systems (ISACA)
• And others (without stating requirements)
• Adoptions of ISMS used in the regulated area
• EU Directives
• Etc.

45
Information Security - 7799Further information
Contact Inger Nordin, Inger.Nordin_at_validation.nu
Public documentation

• Preparing for BS7799 Certification (PD3001)
• The Guide to BS7799 Risk Assessment and Risk
  Management (PD3002)
• Are you Ready for a BS7799 Audit? (PD3003)
• Guide to BS7799 Auditing (PD3004)
• Guide on selection of BS 7799 controls (PD3005)
• ISO/IEC 177992000 Information technology - Code
  of practice for information security management
• BS7799-22002 Information security management
  systems - Specification with guidance for use
• EA Guidelines 7/03

46
Agenda

• Information Security Management System, ISMS
• Introduction to Business needs and advantages of
  information security
• Brief history and standards, ISO/IEC 177992000
  and BS 7799-22002
• Implementation of an ISMS
• Risk management
• Process approach
• Accreditation and certification ISMS
• EA Guidelines
• ISMS Certification
• Comparison ISMS, ISO 90012000 and ISO 140011996
• Certification status in Sweden and other
  countries
• Lessons learned
• Future trends
• Further information