Skip to main content

ISO 27001

 ISO 27001

source: https://courses.elearning.tecnico.ulisboa.pt/courses/course-v1:MOOCs+ISO27001X+2020/about

1. Information

Information is an asset, stored in paper, digital or in peoples brains.

CIA

Information properties: Confidentiality, Integrity and Availability

2. Information Security Management

Information Security

The preservation of confidentiality, integrity and availability of information.

Information Security Management

Is managed by implementing controls that protect the information assets.

3. Information Security Management System

Information Security Management System

ISMS is systematic approach to:
  • establishing
  • implementing
  • operating
  • monitoring
  • reviewing
  • maintaining
  • improving
the organization's information security.

ISMS is based on risk assement to effectivly treat and manage risks, using policies, procedures, guidelines and associated resources and activities.

Benefits

Greater protection of information against more threats
Structural approach for managing information security risks
Compliance with contratual, legal and regulatory requirements

Risks

Phyical, human and technology threats, associated with information, used by the organization.

4. ISO 27001 Context

Standards Hierarchy

  • International Standards: ISO, IEC, ITU
  • Regional Standards: CEN
  • National Standards: Gov., IPQ
  • Publicly Available Specifications
  • Private Standards
  • Conpany Codes of Practice
Consensus and control grow in oposite directions in this hierarchy.

ISO 27000

Overview and vocabulary of ISMSs

ISO 27002

Code of practice for information security controls

ISO 27003

ISMS implementation guidance

ISO 27004

Information security management - measurements«

ISO 27005

Information security risk management

Reference forum

www.iso27001security.com

5. ISO 27001 Structure

Clauses

0. Introduction 
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
Annex A - Reference control objectives and controls

PDCA or Deming Cycle

Plan - establish - Clauses 4-7
Do - implement and operate - Clause 8
Check - monitor and review - Clause 9
Act - maintain and improve - Clause 10

6. Organizational Context

External

Regulations
Corruption

Internal

Cultural
Lack of resources

Information Security Requirements

Legal
Contractual

ISMS Scope

Based on the external and internal contexts, relevant interested parties' requirements, and interfaces and dependencies with other organizations.

The scope may include the entire organization, parts of the organization or parts of several organizations. However, each certification can only cover one organization.

6. Leadership

Implementing an ISMS

Policy and objectives
Security requirements
Acess to resources
Communication of security requirements

Ensure that organizational roles, responsibilities and authorities are assigned and communicated.

Complient with ISO 27001, communicated to the top managment and to the organization.

7. Planning

Risks and opportunities affecting CIA

SWAT

Information security risk assessment

  • Establish risk criteria
    • likelihood versus impact matrix
  • Identify information security risks
  • Analyse information security risks
  • Evaluate information security risks

Risk treatment plan

  • Select risk treatment options
  • Determine the necessary controls
  • Compare controls against Annex A
  • Update the Statement of Applicability (SoA)
  • Update and approve risk treatment plan
An example of an object for a control could be that all security incidents are registerd.

Overall planning process

  • Risk and opportunities
    • ISMS context
    • ISMS risks and opportunities
  • Risk assessment
    • Assets, threats and vulnerabilities
    • Prioritized risks
  • Risk treatment
    • Prioritized risks
    • Statement of applicability
    • Risk treatment plan
  • Information security objectives
    • Risk treatment plan
    • Objectives

8. Support

Resources

  • Services
  • People
  • Money
  • Technology

Competence

  • Education
  • Training
  • Experience

Awareness

  • Policies
  • Individual contribution
  • Requirements
  • Workshops
  • Emails

Communication

  • What
    • Policies
    • Objectives
  • When
    • Changes
  • With whom
    • Providers
    • Costumers
  • Who
    • ISMS manager
    • ITR department
  • How
    • Email
    • Websites
    • Social networks

Documented information

  • Policies *
  • ISMS Manual / Detailed policies *
  • Processes / Procedures *
  • Support documentation *
  • Records
    • risk management reports
    • evidences of achieved results
    • training records
    • HR competences
    • Experience and qualifications
    • key performance indicators
    • internal audit program and plans
    • management reviews results
    • non-conformities
    • corrective actions
  • ISMS scope
  • IS policies and objectives
  • Statement of applicability

9. Operation

Operation

[Resources]-> [Processes] -> [Outputs]
->
Feedback
->
[Control and planning]
->
Adjustment

Processes

  • Procedures
  • Actions
    • Construction of an entire information system
    • Construction of a new datacenter
  • Risks and Impacts
    • Launch of a new online store must be identified in a early fase definition
  • Outsourced activities
    • Outsourcing of business applications developement
The processes previously defined for assessing and treating risks have to be executed at planned intervals or whenever significant changes occur.

9. Performance Evaluation

Processes

Sequences of activities that transform inputs into outputs.

Controls

May be processes, policies, devices, practices, or any other action that decreases risk.

Activities over controls

  • Monitoring
  • Measurement
  • Analysis
  • Evaluation

Audit

Systematic, independent and documented process

Management

Periodic Meeting
  • Suitability
  • Adequacy
  • Effectiveness

10. Improvement

Nonconformity

ISMS requirement

Continual improvement

  • Suitability
  • Adequacy
  • Effectiveness of the ISMS

11. The Incident Management Process

Plan and prepare phase

  • Create an accessible, short plan for incident response for the entire organisation
  • Define what is a security incident
  • Explicitly define the security response process with assigned responsibilities
  • Perform incident response training
  • Raise awareness
  • Use proper tools

Detection and reporting phase

  • Allow for detection through automatic tools, intraorganisational collaboration and manual reporting
  • Communicate with stakeholders and suppliers
  • Start documentation as soon as incidents are discovered
  • Document all incidents

Assessment and decision phase

  • Define details to be contained in incident reports
  • Confirm incidents
  • Classify incidents
  • Take special care in outsourcing scenarios

Responses phase

  • Define response priorities
  • Collaborate with technical and business staff
  • Remain in contact with reporter of incident
  • Automate where possible. 

Lessons learnt phase

  • Perform assessment and evaluation after every incident
  • Disseminate incident information
  • Use of metrics for learning effects and tuning of technical measures
  • Learn from incidents as a measure for reducing the number of incidents 

12. Annex A of ISO 27001 

The Annex A of ISO 27001 standard contains 14 control clauses, with a total of 35 main security categories and 114 controls.

A.5 Information Sercurity Policies

  • Access Control
  • Information classification
  • Physical and environment security
  • Acceptable usage of assets
  • Backups
  • Maware protection
  • Technical vulnerabilities
  • Cryptography
  • Communications
  • Privacy and personal data
  • Suppliers

A.5.1 Management Direction for Information Security

Policies -> employees, customers, other

A.5.1.1 Policies

A.5.1.2 Review

A.6 Organization of Information Security

A.6.1. Internal Organization

A.6.1.1. Roles and responsabilities

A.6.1.2. Segregation of duties

A.6.1.3. Contact with authorities

A.6.1.4. Contact with special interest groups

A.6.1.5. Project management

A.6.2. Mobile devices and Teleworking

A.6.2.1 Mobile devices

A.6.2.2 Teleworking

A.7 Human Resources Security

A.7.1. Prior to employment

A.7.2. During employment

A.7.3. Termination and change of employment

A.8 Asset management

Identify all the assets that are necessary to transporta, process or archive.

A.8.1. Responsability for assets

A.8.2. Information classification

A.8.3. Media handling

A.9 Access control

A.9.1. Business requirements of access control

A.9.2. User access management

A.9.3. User management / responsibilities

A.9.4. System and applicaiton access control

A.10 Cryptography

A.10.1 Cryptography controls

A.10.2 Key management

A.11 Physical and environmental security

A.11.1 Secure areas

A.11.2 Equipment

A.12 Operations security

A.12.1 Operational procedures and responsibilities

A.12.2 Protection of malware

A.12.3 Backup

A.12.4 Logging and monitoring

A.12.5 Control of operational software

A.12.6 Technical vulnerability managment

A.12.7 Information systems audit considerations

A.13 Communication security

A.13.1 Network security management

A.13.2 Information transfer

A.14 System acquisition, development and maintenance

Internal teams, public networks, external suppliers

A.14.1 Security requirements of informations systems

A.14.2 Security in development and support processes

A.14.3 Test data

A.15 Supplier relashionships

A.15.1 Information security in supplier relationships

A.15.2 Supplier service delivery management

A.16 Information Security incident management

A.16.1 Management of information security incidents and improvements

A.17 Information Security aspects of business management

A.17.1 Information security continuity

A.17.2 Redundancies

A.18 Compliance

A.18.1 Complience with legal and contractual requirements

A.18.2 Information security reviews

13. ISMS Implementation

ISMS implementation project

Iniciate the project
Get Management Support
Define Scope
Plan the Implementation
Establish Communication
Conduct Risk Assessement
Conduct Risk Treatment
Prepare Documentation
Compliance Check
Initiate the Project
Certification

ISO 27003 Guidance

ISO 27003  provides implementation guidance on the requirements of Clauses 4 to 10 of the ISO 27001, and also provides recommendations, possibilities and permissions in relation to them.
The structure of the ISO 27003 clauses mirror the structure of the ISO 27001, adding explanations about what implies the requirements of the ISO 27001.

14. Certification

Certification arrangements

Select certification body (Registered Certification Body - RCB)
Confirm the scope
Understant implications
Readiness assessment
Overall plan commitment
Detailed assessment(s)
Correction and improvements
Formal Audit

Stage 1 - Documentation Review
Stage 2 - Compliance Audit

ISO/IEC 17021-1 - Requirements for RCBs
ISO/IEC 27006 - Addicional requirements for ISMS RCBs

Certification maintenance

Certification Audit (2 stages) -> 1st year Surveillance Audit -> 2nd year Surveillance Audit -> 3rd year Re-certification Audit

15. GDPR

Principles and rules for the processing of personal data

GDPR: processing principles and rules
ISO 27001: security of processing

ISO 27701: Privacy Information Management System - PIMS
Labels:

Comments

Post a Comment

Popular posts from this blog

API Security

API Security source:  https://www.apisecuniversity.com/ Tools Kali Linux https://www.kali.org/ $ sudo apt update -y $ sudo apt upgrade -y $ sudo apt dist-upgrade -y $ sudo apt autoremove -y Passive API Reconnaissance Google Dorking Finds all publicly available WordPress API user directories. inurl:"/wp-json/wp/v2/users" Finds publicly available API key files. intitle:"index.of" intext:"api.txt" Finds potentially interesting API directories. inurl:"/api/v1" intext:"index of /" Finds all sites with a XenAPI SQL injection vulnerability. (This query was posted in 2016; four years later, there are currently 141,000 results.) ext:php inurl:"api.php?action=" This is one of my favorite queries. It lists potentially exposed API keys. intitle:"index of" api_key OR "api key" OR apiKey -pool GitDorking filename:swagger.json extension: .json TruffleHog $ sudo docker run -it -v "$PWD:/pwd" trufflesecurity/truf
Post a Comment
Read more

Agile Leadership

Agile LeaderShip Reference: IPMA Reference Guide ICB4 in an Agile World https://www.ipma.world/news/ipma-reference-guide-icb4-agile-world/ 1. Perspective 1.1 Strategy Description: Change Blurred vision Agile strategy Emergent Create and adapt Giving meaning to work Key Competence Indicators Align agile teams with the organisational mission and vision Identify and exploit opportunities to influence organisational strategy Develop and ensure the ongoing validity of the business/organisational justification Determine, assess, and review critical success factors Determine, assess, and review key performance indicators Examples of Measures Reflects the mission and vision of the organisation Identifies new opportunities and threats which could alter the strategy Uses the CSFs for managing stakeholders Uses information systems for strategic performance 1.2 Governance, structures, and processes Description: Challenges Lean organisation Customer value Agile working Different structures Key Comp
Post a Comment
Read more

Configuring Ubuntu

Ubuntu Server Setting up a static IP // https://linuxhint.com/setup_static_ip_address_ubuntu/ // find the network interface name - eg: "enp9s0" ip a sudo nano /etc/netplan/00-installer-config.yaml network: version: 2 ethernets: ens33: addresses: [192.168.1.124/24] gateway4: 192.168.1.254 nameservers: addresses: [1.1.1.1, 8.8.8.8] Connecting to Server ssh root@server_ip_address Create a new user with admin rights adduser username usermod -aG sudo username sudo reboot Disabling Root Login and Limit login attempts(sshd_config) sudo vim /etc/ssh/sshd_config PermitRootLogin no LoginGraceTime 120 # allow only 1 login attempt per connection MaxAuthTries 1 sudo service sshd restart System update sudo apt-get update sudo apt-get upgrade Firewall sudo ufw status sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw enable sudo ufw status .NET Core wget https://packages.microsoft.com/config/ubuntu/20.10/packages-microsoft-prod.deb -O packages-
Post a Comment
Read more