ISO 27001 - PowerPoint PPT Presentation

Loading...

PPT – ISO 27001 PowerPoint presentation | free to view - id: 43e354-ODVjM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

ISO 27001

Description:

ISO 27001 CUA 20th June 2012 Simon Hunt CISSP Overview of the Standard Benefits of Using ISO 27001 Latest Trends Web: www.krypsys.com Email: info_at_krypsys.com Agenda ... – PowerPoint PPT presentation

Number of Views:663
Avg rating:3.0/5.0
Slides: 16
Provided by: EdwardB160
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: ISO 27001


1
ISO 27001
  • CUA 20th June 2012
  • Simon Hunt CISSP

2
Agenda
  • Overview of the Standard
  • Benefits of Using ISO 27001
  • Latest Trends
  • Web www.krypsys.com
  • Email info_at_krypsys.com

3
What is ISO 27001
  • Information Security Management System (ISMS)
  • ISO 27001 Defines Information Security Management
    as
  • Preservation of-
  • Confidentiality
  • Integrity
  • Availability
  • All information Assets
  • Certification YES/NO -UKAS
  • Note Could also include such properties as
    authenticity, accountability, non-repudiation and
    reliability

4
The ISO 27000 Family of Standards
  • ISO 27000 Overview and Vocabulary
  • ISO 27001 Audit Requirements
  • ISO 27002 Code of Practice (was ISO17799)
  • Also Relevant
  • BS 7799

5
Management Process Model
  • All management systems follow
  • PLAN DO CHECK ACT
  • Plan Establish ISMS
  • Do Implement/Operate ISMS
  • Check Monitor and review the ISMS
  • Act Maintain and improve the ISMS
  • Common to other ISO standards
  • ISO 9001,ISO 14001

6
ISO 27001 Content
  • Consists of 2 main parts
  • Mandatory Clauses 4 8
  • General Requirement of ISMS
  • Management Responsibility
  • Internal ISMS Audit
  • Management Review of the ISMS
  • ISMS Improvement
  • Annex A Control objectives and controls
  • Some justification required for controls not
    applied Statement of Applicability
  • Not just IT
  • Useful list of risk areas

7
Implementation
  • Establish an ISMS in terms of
  • Characteristics of the business
  • The organisation
  • Its location
  • Its information assets
  • Its technology
  • Define the scope boundaries of the ISMS
  • Define an ISMS policy
  • Not rigid and prescriptive
  • Appropriate to your organisation and objectives

8
Risk Assessment Approach
  • Manage Relevant Risks
  • Tailored ISMS
  • Identify the risks
  • Identify assets, threats to the assets,
    vulnerabilities that may be exploited by the
    threats and the impacts of loss of
    Confidentiality, Integrity or Availability may
    have on the assets
  • Analyse and evaluate the risks
  • Assess the business impact of loss of C I or A of
    the assets
  • Assess likelihood of security failures
  • Estimate levels of risk
  • Highlights where you need to focus your efforts

9
Risk Treatment
  • Determine if risks are acceptable, if not
  • Transfer
  • Avoid
  • Accept (knowingly objectively
  • Apply Controls
  • From Annex A
  • Additional controls
  • Statement of Applicability

10
Management
  • Management Support Crucial
  • Approval of proposed residual risks
  • Authorisation to implement and operate the ISMS
  • Risk removal rarely practical or cost effective
  • Risk controls risk reduction to an acceptable
    level (Management Authorises)

11
Practical Approach
  • Few organisations have no elements of ISMS or
    controls
  • Gap Analysis
  • Work backwards from the standard
  • Use that as a checklist to determine the risks to
    be addressed
  • Control in place
  • Partial Control
  • No control
  • Clear Picture Road Map
  • Work On Priorities

12
Benefits of ISO 27001 Certification
  • Security risks are appropriately prioritised and
    cost effectively managed
  • Targeted and Cost Effective
  • It demonstrate commitment to Information Security
    Management to third parties and stakeholders and
    will give them greater confidence to interact
    with you
  • Increases Confidence in your Organisation
  • Provides a framework to ensure fulfilment of your
    commercial, contractual and legal
    responsibilities
  • Fulfil Commercial and Legal Obligations
  • It provides a significant competitive advantage,
    and can effectively be a license to trade with
    companies in certain regulated sectors
  • Contract Rquirement
  • It provides for interoperability between
    organisations or groups within an organisation
  • Helps Groups/Companies Work Together
  • Compliance with, or certification against a
    recognised external standard is often used by
    management to demonstrate due diligence.
  • Objective Due Diligence

13
Recent Trends
  • ISO 27001 is the de facto international standard
    for Information Security Management
  • Increasingly being seen as a contractual
    requirement
  • Using ISO 27001 as a guideline
  • Interoperability between organisations or groups
    within an organisation facilitates mergers and
    acquisitions
  • Use to demonstrate due diligence.

14
Take Away Points
  • It will give you the structure necessary for
    effective Information Security
  • Its flexible and is tailored to suit your
    environment and requirements
  • You dont necessarily need to certify to gain a
    lot of the benefits

15
Thank you
About PowerShow.com