ISO 27001 - PowerPoint PPT Presentation


PPT – ISO 27001 PowerPoint presentation | free to view - id: 43e354-ODVjM


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

ISO 27001


ISO 27001 CUA 20th June 2012 Simon Hunt CISSP Overview of the Standard Benefits of Using ISO 27001 Latest Trends Web: Email: Agenda ... – PowerPoint PPT presentation

Number of Views:948
Avg rating:3.0/5.0
Slides: 16
Provided by: EdwardB160
Tags: iso


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: ISO 27001

ISO 27001
  • CUA 20th June 2012
  • Simon Hunt CISSP

  • Overview of the Standard
  • Benefits of Using ISO 27001
  • Latest Trends
  • Web
  • Email

What is ISO 27001
  • Information Security Management System (ISMS)
  • ISO 27001 Defines Information Security Management
  • Preservation of-
  • Confidentiality
  • Integrity
  • Availability
  • All information Assets
  • Certification YES/NO -UKAS
  • Note Could also include such properties as
    authenticity, accountability, non-repudiation and

The ISO 27000 Family of Standards
  • ISO 27000 Overview and Vocabulary
  • ISO 27001 Audit Requirements
  • ISO 27002 Code of Practice (was ISO17799)
  • Also Relevant
  • BS 7799

Management Process Model
  • All management systems follow
  • Plan Establish ISMS
  • Do Implement/Operate ISMS
  • Check Monitor and review the ISMS
  • Act Maintain and improve the ISMS
  • Common to other ISO standards
  • ISO 9001,ISO 14001

ISO 27001 Content
  • Consists of 2 main parts
  • Mandatory Clauses 4 8
  • General Requirement of ISMS
  • Management Responsibility
  • Internal ISMS Audit
  • Management Review of the ISMS
  • ISMS Improvement
  • Annex A Control objectives and controls
  • Some justification required for controls not
    applied Statement of Applicability
  • Not just IT
  • Useful list of risk areas

  • Establish an ISMS in terms of
  • Characteristics of the business
  • The organisation
  • Its location
  • Its information assets
  • Its technology
  • Define the scope boundaries of the ISMS
  • Define an ISMS policy
  • Not rigid and prescriptive
  • Appropriate to your organisation and objectives

Risk Assessment Approach
  • Manage Relevant Risks
  • Tailored ISMS
  • Identify the risks
  • Identify assets, threats to the assets,
    vulnerabilities that may be exploited by the
    threats and the impacts of loss of
    Confidentiality, Integrity or Availability may
    have on the assets
  • Analyse and evaluate the risks
  • Assess the business impact of loss of C I or A of
    the assets
  • Assess likelihood of security failures
  • Estimate levels of risk
  • Highlights where you need to focus your efforts

Risk Treatment
  • Determine if risks are acceptable, if not
  • Transfer
  • Avoid
  • Accept (knowingly objectively
  • Apply Controls
  • From Annex A
  • Additional controls
  • Statement of Applicability

  • Management Support Crucial
  • Approval of proposed residual risks
  • Authorisation to implement and operate the ISMS
  • Risk removal rarely practical or cost effective
  • Risk controls risk reduction to an acceptable
    level (Management Authorises)

Practical Approach
  • Few organisations have no elements of ISMS or
  • Gap Analysis
  • Work backwards from the standard
  • Use that as a checklist to determine the risks to
    be addressed
  • Control in place
  • Partial Control
  • No control
  • Clear Picture Road Map
  • Work On Priorities

Benefits of ISO 27001 Certification
  • Security risks are appropriately prioritised and
    cost effectively managed
  • Targeted and Cost Effective
  • It demonstrate commitment to Information Security
    Management to third parties and stakeholders and
    will give them greater confidence to interact
    with you
  • Increases Confidence in your Organisation
  • Provides a framework to ensure fulfilment of your
    commercial, contractual and legal
  • Fulfil Commercial and Legal Obligations
  • It provides a significant competitive advantage,
    and can effectively be a license to trade with
    companies in certain regulated sectors
  • Contract Rquirement
  • It provides for interoperability between
    organisations or groups within an organisation
  • Helps Groups/Companies Work Together
  • Compliance with, or certification against a
    recognised external standard is often used by
    management to demonstrate due diligence.
  • Objective Due Diligence

Recent Trends
  • ISO 27001 is the de facto international standard
    for Information Security Management
  • Increasingly being seen as a contractual
  • Using ISO 27001 as a guideline
  • Interoperability between organisations or groups
    within an organisation facilitates mergers and
  • Use to demonstrate due diligence.

Take Away Points
  • It will give you the structure necessary for
    effective Information Security
  • Its flexible and is tailored to suit your
    environment and requirements
  • You dont necessarily need to certify to gain a
    lot of the benefits

Thank you