Overview of ISO 27001 Information Securtiy Management Standard

Overview of ISO 27001

• Security Management Standard: (Security + Availability): Secure Business
• Key controls – Differ- Industry to Industry
• Importance of ISMS
• Loss of Reputation
• Business Continuity
• Loss of Data for Process Continuity
• Customer Specific Requirement: Contractual Obligation.
• Regulated by HIPAA Law: Health Insurance Portability and Accountability Act – Mandatory since Apr’05.
• Productivity Loss
• PDCA Model
• Takes care of Confidentiality, Integrity and Availability- For all Information Assets
• Right Information available to Right People at Right Time.
• BS 7799 Part 2:2002 – Certifiable standard
• Guideline Document: iso 27001 standard – Further Revised in 2005.
• Initiative from Department of Trade and industry in 1995- Part 1. Part 2 released in 1998. In 1999- Swedish standard SS 62 7799 Part 1 &2 and new issue of BS 7799 Part 1 &2.
• In Dec’00 – ISO/IEC 17799:2000 released
• In 2001: New BS 7799- P2 drafted and Accepted in Sep’02.
• Standard: Four Mandatory requirements of Standard + Annexure A: Possible Controls.
• Develop, Implement and Maintain ISMS System for continually improve in context to Organization Business Requirements and Risk.
• Section 5: Management Responsibility
• Section 6: MRM
• Section 7: Continual Improvement
• Annexure A: Management Controls
• Information Security Policy (A.3)
• Organizational Security: What are the activities to be done at Organization level for managing security?  Eg Contractual requirements. (A.4)
• Asset Classification & Controls. (A.5)
• Personnel Security- Security from the Personnel. (53% frauds by internal people) (A.6)
• Physical and Environmental Security (A.7)
• Business Continuity Management (A.11)
• Compliance (A.12)

Technical Requirements

A.8:    Communication & Operational Management – Focuses on basic infrastructure

A.9:    Access Control – Network only- No Physical. For Physical details under A7.

A.10:  System Development & Maintenance - Focuses on Software Development.

Total 36 Objectives and 127 Controls:

1. Basic Focus of ISMS: Predictability & Repeatability
2. Procedural Security & Technical (Product) Security
3. Preventive Controls – Firewall,
4. Detective Control: IDS.
5. All Assets impacting CIA are termed as Information Assets.
6. Users are all those having access to all information assets.

Section 7

• Continual Improvement
• Corrective Action
• Preventive Action 

ISO Organization Implications

Management, Employees, Customers/Users, Share Holders, Company Culture, Ownership, Legislation

Success of ISMS Depends

• Policies, objectivities and activities match business needs and requirements.
• Develop ISMS in line with existing Organizational Culture
• Change Management-
• Preventive Controls rather than Detective controls
• Awareness
• Commitment from Management
• Identify Information Assets impacting CIA
• Understanding of Security & Risk
• Effective marketing of security within the organization.
• Distribution of guidelines on policy and procedures.
• Training & education
• PDCA 

Management Commitment

• Policy
• Objectives
• Roles & responsibility
• Communication
• Resources
• Levels of Risks

 Scope of ISMS:

Define scope based on Business Characteristics, Organizational Characteristics, Locations, Information Assets and Technology

Scope defines the ISMS deployed for all Information Assets- For Basic Focus on identified Information Assets for effective controls with geographical and logical boundaries.

Source: Globalmanagergroup.com