Skip to main content

ISO 27001

 ISO 27001

source: https://courses.elearning.tecnico.ulisboa.pt/courses/course-v1:MOOCs+ISO27001X+2020/about

1. Information

Information is an asset, stored in paper, digital or in peoples brains.

CIA

Information properties: Confidentiality, Integrity and Availability

2. Information Security Management

Information Security

The preservation of confidentiality, integrity and availability of information.

Information Security Management

Is managed by implementing controls that protect the information assets.

3. Information Security Management System

Information Security Management System

ISMS is systematic approach to:
  • establishing
  • implementing
  • operating
  • monitoring
  • reviewing
  • maintaining
  • improving
the organization's information security.

ISMS is based on risk assement to effectivly treat and manage risks, using policies, procedures, guidelines and associated resources and activities.

Benefits

Greater protection of information against more threats
Structural approach for managing information security risks
Compliance with contratual, legal and regulatory requirements

Risks

Phyical, human and technology threats, associated with information, used by the organization.

4. ISO 27001 Context

Standards Hierarchy

  • International Standards: ISO, IEC, ITU
  • Regional Standards: CEN
  • National Standards: Gov., IPQ
  • Publicly Available Specifications
  • Private Standards
  • Conpany Codes of Practice
Consensus and control grow in oposite directions in this hierarchy.

ISO 27000

Overview and vocabulary of ISMSs

ISO 27002

Code of practice for information security controls

ISO 27003

ISMS implementation guidance

ISO 27004

Information security management - measurements«

ISO 27005

Information security risk management

Reference forum

www.iso27001security.com

5. ISO 27001 Structure

Clauses

0. Introduction 
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
Annex A - Reference control objectives and controls

PDCA or Deming Cycle

Plan - establish - Clauses 4-7
Do - implement and operate - Clause 8
Check - monitor and review - Clause 9
Act - maintain and improve - Clause 10

6. Organizational Context

External

Regulations
Corruption

Internal

Cultural
Lack of resources

Information Security Requirements

Legal
Contractual

ISMS Scope

Based on the external and internal contexts, relevant interested parties' requirements, and interfaces and dependencies with other organizations.

The scope may include the entire organization, parts of the organization or parts of several organizations. However, each certification can only cover one organization.

6. Leadership

Implementing an ISMS

Policy and objectives
Security requirements
Acess to resources
Communication of security requirements

Ensure that organizational roles, responsibilities and authorities are assigned and communicated.

Complient with ISO 27001, communicated to the top managment and to the organization.

7. Planning

Risks and opportunities affecting CIA

SWAT

Information security risk assessment

  • Establish risk criteria
    • likelihood versus impact matrix
  • Identify information security risks
  • Analyse information security risks
  • Evaluate information security risks

Risk treatment plan

  • Select risk treatment options
  • Determine the necessary controls
  • Compare controls against Annex A
  • Update the Statement of Applicability (SoA)
  • Update and approve risk treatment plan
An example of an object for a control could be that all security incidents are registerd.

Overall planning process

  • Risk and opportunities
    • ISMS context
    • ISMS risks and opportunities
  • Risk assessment
    • Assets, threats and vulnerabilities
    • Prioritized risks
  • Risk treatment
    • Prioritized risks
    • Statement of applicability
    • Risk treatment plan
  • Information security objectives
    • Risk treatment plan
    • Objectives

8. Support

Resources

  • Services
  • People
  • Money
  • Technology

Competence

  • Education
  • Training
  • Experience

Awareness

  • Policies
  • Individual contribution
  • Requirements
  • Workshops
  • Emails

Communication

  • What
    • Policies
    • Objectives
  • When
    • Changes
  • With whom
    • Providers
    • Costumers
  • Who
    • ISMS manager
    • ITR department
  • How
    • Email
    • Websites
    • Social networks

Documented information

  • Policies *
  • ISMS Manual / Detailed policies *
  • Processes / Procedures *
  • Support documentation *
  • Records
    • risk management reports
    • evidences of achieved results
    • training records
    • HR competences
    • Experience and qualifications
    • key performance indicators
    • internal audit program and plans
    • management reviews results
    • non-conformities
    • corrective actions
  • ISMS scope
  • IS policies and objectives
  • Statement of applicability

9. Operation

Operation

[Resources]-> [Processes] -> [Outputs]
->
Feedback
->
[Control and planning]
->
Adjustment

Processes

  • Procedures
  • Actions
    • Construction of an entire information system
    • Construction of a new datacenter
  • Risks and Impacts
    • Launch of a new online store must be identified in a early fase definition
  • Outsourced activities
    • Outsourcing of business applications developement
The processes previously defined for assessing and treating risks have to be executed at planned intervals or whenever significant changes occur.

9. Performance Evaluation

Processes

Sequences of activities that transform inputs into outputs.

Controls

May be processes, policies, devices, practices, or any other action that decreases risk.

Activities over controls

  • Monitoring
  • Measurement
  • Analysis
  • Evaluation

Audit

Systematic, independent and documented process

Management

Periodic Meeting
  • Suitability
  • Adequacy
  • Effectiveness

10. Improvement

Nonconformity

ISMS requirement

Continual improvement

  • Suitability
  • Adequacy
  • Effectiveness of the ISMS

11. The Incident Management Process

Plan and prepare phase

  • Create an accessible, short plan for incident response for the entire organisation
  • Define what is a security incident
  • Explicitly define the security response process with assigned responsibilities
  • Perform incident response training
  • Raise awareness
  • Use proper tools

Detection and reporting phase

  • Allow for detection through automatic tools, intraorganisational collaboration and manual reporting
  • Communicate with stakeholders and suppliers
  • Start documentation as soon as incidents are discovered
  • Document all incidents

Assessment and decision phase

  • Define details to be contained in incident reports
  • Confirm incidents
  • Classify incidents
  • Take special care in outsourcing scenarios

Responses phase

  • Define response priorities
  • Collaborate with technical and business staff
  • Remain in contact with reporter of incident
  • Automate where possible. 

Lessons learnt phase

  • Perform assessment and evaluation after every incident
  • Disseminate incident information
  • Use of metrics for learning effects and tuning of technical measures
  • Learn from incidents as a measure for reducing the number of incidents 

12. Annex A of ISO 27001 

The Annex A of ISO 27001 standard contains 14 control clauses, with a total of 35 main security categories and 114 controls.

A.5 Information Sercurity Policies

  • Access Control
  • Information classification
  • Physical and environment security
  • Acceptable usage of assets
  • Backups
  • Maware protection
  • Technical vulnerabilities
  • Cryptography
  • Communications
  • Privacy and personal data
  • Suppliers

A.5.1 Management Direction for Information Security

Policies -> employees, customers, other

A.5.1.1 Policies

A.5.1.2 Review

A.6 Organization of Information Security

A.6.1. Internal Organization

A.6.1.1. Roles and responsabilities

A.6.1.2. Segregation of duties

A.6.1.3. Contact with authorities

A.6.1.4. Contact with special interest groups

A.6.1.5. Project management

A.6.2. Mobile devices and Teleworking

A.6.2.1 Mobile devices

A.6.2.2 Teleworking

A.7 Human Resources Security

A.7.1. Prior to employment

A.7.2. During employment

A.7.3. Termination and change of employment

A.8 Asset management

Identify all the assets that are necessary to transporta, process or archive.

A.8.1. Responsability for assets

A.8.2. Information classification

A.8.3. Media handling

A.9 Access control

A.9.1. Business requirements of access control

A.9.2. User access management

A.9.3. User management / responsibilities

A.9.4. System and applicaiton access control

A.10 Cryptography

A.10.1 Cryptography controls

A.10.2 Key management

A.11 Physical and environmental security

A.11.1 Secure areas

A.11.2 Equipment

A.12 Operations security

A.12.1 Operational procedures and responsibilities

A.12.2 Protection of malware

A.12.3 Backup

A.12.4 Logging and monitoring

A.12.5 Control of operational software

A.12.6 Technical vulnerability managment

A.12.7 Information systems audit considerations

A.13 Communication security

A.13.1 Network security management

A.13.2 Information transfer

A.14 System acquisition, development and maintenance

Internal teams, public networks, external suppliers

A.14.1 Security requirements of informations systems

A.14.2 Security in development and support processes

A.14.3 Test data

A.15 Supplier relashionships

A.15.1 Information security in supplier relationships

A.15.2 Supplier service delivery management

A.16 Information Security incident management

A.16.1 Management of information security incidents and improvements

A.17 Information Security aspects of business management

A.17.1 Information security continuity

A.17.2 Redundancies

A.18 Compliance

A.18.1 Complience with legal and contractual requirements

A.18.2 Information security reviews

13. ISMS Implementation

ISMS implementation project

Iniciate the project
Get Management Support
Define Scope
Plan the Implementation
Establish Communication
Conduct Risk Assessement
Conduct Risk Treatment
Prepare Documentation
Compliance Check
Initiate the Project
Certification

ISO 27003 Guidance

ISO 27003  provides implementation guidance on the requirements of Clauses 4 to 10 of the ISO 27001, and also provides recommendations, possibilities and permissions in relation to them.
The structure of the ISO 27003 clauses mirror the structure of the ISO 27001, adding explanations about what implies the requirements of the ISO 27001.

14. Certification

Certification arrangements

Select certification body (Registered Certification Body - RCB)
Confirm the scope
Understant implications
Readiness assessment
Overall plan commitment
Detailed assessment(s)
Correction and improvements
Formal Audit

Stage 1 - Documentation Review
Stage 2 - Compliance Audit

ISO/IEC 17021-1 - Requirements for RCBs
ISO/IEC 27006 - Addicional requirements for ISMS RCBs

Certification maintenance

Certification Audit (2 stages) -> 1st year Surveillance Audit -> 2nd year Surveillance Audit -> 3rd year Re-certification Audit

15. GDPR

Principles and rules for the processing of personal data

GDPR: processing principles and rules
ISO 27001: security of processing

ISO 27701: Privacy Information Management System - PIMS
Labels:

Comments

Post a Comment

Popular posts from this blog

SOLID (4/5) - Interface segregation principle

Interface segregation principle In the field of software engineering, the interface-segregation principle (ISP) states that no client should be forced to depend on methods it does not use. ISP splits interfaces that are very large into smaller and more specific ones so that clients will only have to know about the methods that are of interest to them. Such shrunken interfaces are also called role interfaces. ISP is intended to keep a system decoupled and thus easier to refactor, change, and redeploy. using   System ; namespace   interfacesegregation {      public   class   Document       {     }      public   interface   IMachine       {          void   Print ( Document   d );          void   Scan ( Document   d );     ...
Post a Comment
Read more

C# Extension Methods

 C# Extension Methods Extension methods      public   static   class   ExtensionMethods     {          public   static   Stopwatch   Measure ( this   Func < int >  f )         {              var   sw  =  new   Stopwatch ();              sw . Start ();              f ();              sw . Stop ();              return   sw ;         }          public   static   void   Save ( this   ISerializable   s...
Post a Comment
Read more

Configuring Ubuntu

Ubuntu Server Setting up a static IP // https://linuxhint.com/setup_static_ip_address_ubuntu/ // find the network interface name - eg: "enp9s0" ip a sudo nano /etc/netplan/00-installer-config.yaml network: version: 2 ethernets: ens33: addresses: [192.168.1.124/24] gateway4: 192.168.1.254 nameservers: addresses: [1.1.1.1, 8.8.8.8] Connecting to Server ssh root@server_ip_address Create a new user with admin rights adduser username usermod -aG sudo username sudo reboot Disabling Root Login and Limit login attempts(sshd_config) sudo vim /etc/ssh/sshd_config PermitRootLogin no LoginGraceTime 120 # allow only 1 login attempt per connection MaxAuthTries 1 sudo service sshd restart System update sudo apt-get update sudo apt-get upgrade Firewall sudo ufw status sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw enable sudo ufw status .NET Core wget https://packages.microsoft.com/config/ubuntu/20.10/packages-microsoft-prod.deb -O packages-...
Post a Comment
Read more