Skip to main content

ISO 27001

 ISO 27001

source: https://courses.elearning.tecnico.ulisboa.pt/courses/course-v1:MOOCs+ISO27001X+2020/about

1. Information

Information is an asset, stored in paper, digital or in peoples brains.

CIA

Information properties: Confidentiality, Integrity and Availability

2. Information Security Management

Information Security

The preservation of confidentiality, integrity and availability of information.

Information Security Management

Is managed by implementing controls that protect the information assets.

3. Information Security Management System

Information Security Management System

ISMS is systematic approach to:
  • establishing
  • implementing
  • operating
  • monitoring
  • reviewing
  • maintaining
  • improving
the organization's information security.

ISMS is based on risk assement to effectivly treat and manage risks, using policies, procedures, guidelines and associated resources and activities.

Benefits

Greater protection of information against more threats
Structural approach for managing information security risks
Compliance with contratual, legal and regulatory requirements

Risks

Phyical, human and technology threats, associated with information, used by the organization.

4. ISO 27001 Context

Standards Hierarchy

  • International Standards: ISO, IEC, ITU
  • Regional Standards: CEN
  • National Standards: Gov., IPQ
  • Publicly Available Specifications
  • Private Standards
  • Conpany Codes of Practice
Consensus and control grow in oposite directions in this hierarchy.

ISO 27000

Overview and vocabulary of ISMSs

ISO 27002

Code of practice for information security controls

ISO 27003

ISMS implementation guidance

ISO 27004

Information security management - measurements«

ISO 27005

Information security risk management

Reference forum

www.iso27001security.com

5. ISO 27001 Structure

Clauses

0. Introduction 
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
Annex A - Reference control objectives and controls

PDCA or Deming Cycle

Plan - establish - Clauses 4-7
Do - implement and operate - Clause 8
Check - monitor and review - Clause 9
Act - maintain and improve - Clause 10

6. Organizational Context

External

Regulations
Corruption

Internal

Cultural
Lack of resources

Information Security Requirements

Legal
Contractual

ISMS Scope

Based on the external and internal contexts, relevant interested parties' requirements, and interfaces and dependencies with other organizations.

The scope may include the entire organization, parts of the organization or parts of several organizations. However, each certification can only cover one organization.

6. Leadership

Implementing an ISMS

Policy and objectives
Security requirements
Acess to resources
Communication of security requirements

Ensure that organizational roles, responsibilities and authorities are assigned and communicated.

Complient with ISO 27001, communicated to the top managment and to the organization.

7. Planning

Risks and opportunities affecting CIA

SWAT

Information security risk assessment

  • Establish risk criteria
    • likelihood versus impact matrix
  • Identify information security risks
  • Analyse information security risks
  • Evaluate information security risks

Risk treatment plan

  • Select risk treatment options
  • Determine the necessary controls
  • Compare controls against Annex A
  • Update the Statement of Applicability (SoA)
  • Update and approve risk treatment plan
An example of an object for a control could be that all security incidents are registerd.

Overall planning process

  • Risk and opportunities
    • ISMS context
    • ISMS risks and opportunities
  • Risk assessment
    • Assets, threats and vulnerabilities
    • Prioritized risks
  • Risk treatment
    • Prioritized risks
    • Statement of applicability
    • Risk treatment plan
  • Information security objectives
    • Risk treatment plan
    • Objectives

8. Support

Resources

  • Services
  • People
  • Money
  • Technology

Competence

  • Education
  • Training
  • Experience

Awareness

  • Policies
  • Individual contribution
  • Requirements
  • Workshops
  • Emails

Communication

  • What
    • Policies
    • Objectives
  • When
    • Changes
  • With whom
    • Providers
    • Costumers
  • Who
    • ISMS manager
    • ITR department
  • How
    • Email
    • Websites
    • Social networks

Documented information

  • Policies *
  • ISMS Manual / Detailed policies *
  • Processes / Procedures *
  • Support documentation *
  • Records
    • risk management reports
    • evidences of achieved results
    • training records
    • HR competences
    • Experience and qualifications
    • key performance indicators
    • internal audit program and plans
    • management reviews results
    • non-conformities
    • corrective actions
  • ISMS scope
  • IS policies and objectives
  • Statement of applicability

9. Operation

Operation

[Resources]-> [Processes] -> [Outputs]
->
Feedback
->
[Control and planning]
->
Adjustment

Processes

  • Procedures
  • Actions
    • Construction of an entire information system
    • Construction of a new datacenter
  • Risks and Impacts
    • Launch of a new online store must be identified in a early fase definition
  • Outsourced activities
    • Outsourcing of business applications developement
The processes previously defined for assessing and treating risks have to be executed at planned intervals or whenever significant changes occur.

9. Performance Evaluation

Processes

Sequences of activities that transform inputs into outputs.

Controls

May be processes, policies, devices, practices, or any other action that decreases risk.

Activities over controls

  • Monitoring
  • Measurement
  • Analysis
  • Evaluation

Audit

Systematic, independent and documented process

Management

Periodic Meeting
  • Suitability
  • Adequacy
  • Effectiveness

10. Improvement

Nonconformity

ISMS requirement

Continual improvement

  • Suitability
  • Adequacy
  • Effectiveness of the ISMS

11. The Incident Management Process

Plan and prepare phase

  • Create an accessible, short plan for incident response for the entire organisation
  • Define what is a security incident
  • Explicitly define the security response process with assigned responsibilities
  • Perform incident response training
  • Raise awareness
  • Use proper tools

Detection and reporting phase

  • Allow for detection through automatic tools, intraorganisational collaboration and manual reporting
  • Communicate with stakeholders and suppliers
  • Start documentation as soon as incidents are discovered
  • Document all incidents

Assessment and decision phase

  • Define details to be contained in incident reports
  • Confirm incidents
  • Classify incidents
  • Take special care in outsourcing scenarios

Responses phase

  • Define response priorities
  • Collaborate with technical and business staff
  • Remain in contact with reporter of incident
  • Automate where possible. 

Lessons learnt phase

  • Perform assessment and evaluation after every incident
  • Disseminate incident information
  • Use of metrics for learning effects and tuning of technical measures
  • Learn from incidents as a measure for reducing the number of incidents 

12. Annex A of ISO 27001 

The Annex A of ISO 27001 standard contains 14 control clauses, with a total of 35 main security categories and 114 controls.

A.5 Information Sercurity Policies

  • Access Control
  • Information classification
  • Physical and environment security
  • Acceptable usage of assets
  • Backups
  • Maware protection
  • Technical vulnerabilities
  • Cryptography
  • Communications
  • Privacy and personal data
  • Suppliers

A.5.1 Management Direction for Information Security

Policies -> employees, customers, other

A.5.1.1 Policies

A.5.1.2 Review

A.6 Organization of Information Security

A.6.1. Internal Organization

A.6.1.1. Roles and responsabilities

A.6.1.2. Segregation of duties

A.6.1.3. Contact with authorities

A.6.1.4. Contact with special interest groups

A.6.1.5. Project management

A.6.2. Mobile devices and Teleworking

A.6.2.1 Mobile devices

A.6.2.2 Teleworking

A.7 Human Resources Security

A.7.1. Prior to employment

A.7.2. During employment

A.7.3. Termination and change of employment

A.8 Asset management

Identify all the assets that are necessary to transporta, process or archive.

A.8.1. Responsability for assets

A.8.2. Information classification

A.8.3. Media handling

A.9 Access control

A.9.1. Business requirements of access control

A.9.2. User access management

A.9.3. User management / responsibilities

A.9.4. System and applicaiton access control

A.10 Cryptography

A.10.1 Cryptography controls

A.10.2 Key management

A.11 Physical and environmental security

A.11.1 Secure areas

A.11.2 Equipment

A.12 Operations security

A.12.1 Operational procedures and responsibilities

A.12.2 Protection of malware

A.12.3 Backup

A.12.4 Logging and monitoring

A.12.5 Control of operational software

A.12.6 Technical vulnerability managment

A.12.7 Information systems audit considerations

A.13 Communication security

A.13.1 Network security management

A.13.2 Information transfer

A.14 System acquisition, development and maintenance

Internal teams, public networks, external suppliers

A.14.1 Security requirements of informations systems

A.14.2 Security in development and support processes

A.14.3 Test data

A.15 Supplier relashionships

A.15.1 Information security in supplier relationships

A.15.2 Supplier service delivery management

A.16 Information Security incident management

A.16.1 Management of information security incidents and improvements

A.17 Information Security aspects of business management

A.17.1 Information security continuity

A.17.2 Redundancies

A.18 Compliance

A.18.1 Complience with legal and contractual requirements

A.18.2 Information security reviews

13. ISMS Implementation

ISMS implementation project

Iniciate the project
Get Management Support
Define Scope
Plan the Implementation
Establish Communication
Conduct Risk Assessement
Conduct Risk Treatment
Prepare Documentation
Compliance Check
Initiate the Project
Certification

ISO 27003 Guidance

ISO 27003  provides implementation guidance on the requirements of Clauses 4 to 10 of the ISO 27001, and also provides recommendations, possibilities and permissions in relation to them.
The structure of the ISO 27003 clauses mirror the structure of the ISO 27001, adding explanations about what implies the requirements of the ISO 27001.

14. Certification

Certification arrangements

Select certification body (Registered Certification Body - RCB)
Confirm the scope
Understant implications
Readiness assessment
Overall plan commitment
Detailed assessment(s)
Correction and improvements
Formal Audit

Stage 1 - Documentation Review
Stage 2 - Compliance Audit

ISO/IEC 17021-1 - Requirements for RCBs
ISO/IEC 27006 - Addicional requirements for ISMS RCBs

Certification maintenance

Certification Audit (2 stages) -> 1st year Surveillance Audit -> 2nd year Surveillance Audit -> 3rd year Re-certification Audit

15. GDPR

Principles and rules for the processing of personal data

GDPR: processing principles and rules
ISO 27001: security of processing

ISO 27701: Privacy Information Management System - PIMS
Labels:

Comments

Post a Comment

Popular posts from this blog

XML Webservice (ASMX) - SOAP Request and Response Invocation logging

You are an integration developer. Eventualy you came into the state where there is nothing else you can debug, and you have to check which SOAP request it is built on the request, and which SOAP response you are getting from the server. C# XML Webservice (ASMX) - SOAP Request and Response Invocation logging In the legaccy .NET framework System.Web.Services , this means using soapExtensions to help you intersept the interaction with the webservice. This is done like so:  public class TraceExtension : SoapExtension     {         Stream oldStream;         Stream newStream;         string filename;         // Save the Stream representing the SOAP request or SOAP response into          // a local memory buffer.          public override Stream ChainStream(Stream stream)         {           ...
Post a Comment
Read more

Abstract Factory Pattern

Abstract Factory Pattern  Gamma Categorization: Creational Design Patten Summary: When the object construction is complicated, needing multiple arguments, we should create a separate function (Factory Method) or class (Factory), which is responsible for the creation of the all object. Problem examples Suport of multiple databases Multiple data sources: Serial port, ethernet port, device driver Diferent report types Solution Abstract class Generalized interface A Factory creates instances of the concrete classes Sample Code The abstract factory public   interface   IPhotoFactory {      IAnaloguePhoto   CreateAnaloguePhoto ();      IDigitalPhoto   CreateDigitalPhoto (); } The abstract products public   interface   IAnaloguePhoto {      string   GetName (); } public   interface   IDigitalPhoto {      ...
Post a Comment
Read more

SOLID (1/5) - Single Resposibility Principle

 SOLID (1/5) - Single Resposibility Principle The single-responsibility principle (SRP) is a computer-programming principle that states that every class in a computer program should have responsibility over a single part of that program's functionality, which it should encapsulate. All of that module, class or function's services should be narrowly aligned with that responsibility. In the following example we have a TodoList class which only handles it's own functionality logic, and then we have a Persistance class which handles the saving logic, hence keeping the concerns separeted. using   System ; using   System . Collections . Generic ; namespace   Journal {      public   class   TodoList     {          private   readonly   List < string >  _entries  =  new   List < string >();          private...
Post a Comment
Read more