Friday, April 13, 2012

Overview of ISO 27001 Information Securtiy Management Standard


Overview of ISO 27001
  • Security Management Standard: (Security + Availability): Secure Business
  • Key controls – Differ- Industry to Industry
  • Importance of ISMS
  • Loss of Reputation
  • Business Continuity
  • Loss of Data for Process Continuity
  • Customer Specific Requirement: Contractual Obligation.
  • Regulated by HIPAA Law: Health Insurance Portability and Accountability Act – Mandatory since Apr’05.
  • Productivity Loss
  • PDCA Model
  • Takes care of Confidentiality, Integrity and Availability- For all Information Assets
  • Right Information available to Right People at Right Time.
  • BS 7799 Part 2:2002 – Certifiable standard
  • Guideline Document: iso 27001 standard – Further Revised in 2005.
  • Initiative from Department of Trade and industry in 1995- Part 1. Part 2 released in 1998. In 1999- Swedish standard SS 62 7799 Part 1 &2 and new issue of BS 7799 Part 1 &2.
  • In Dec’00 – ISO/IEC 17799:2000 released
  • In 2001: New BS 7799- P2 drafted and Accepted in Sep’02.
  • Standard: Four Mandatory requirements of Standard + Annexure A: Possible Controls.
  • Develop, Implement and Maintain ISMS System for continually improve in context to Organization Business Requirements and Risk.
  • Section 5: Management Responsibility
  • Section 6: MRM
  • Section 7: Continual Improvement
  • Annexure A: Management Controls
  • Information Security Policy (A.3)
  • Organizational Security: What are the activities to be done at Organization level for managing security?  Eg Contractual requirements. (A.4)
  • Asset Classification & Controls. (A.5)
  • Personnel Security- Security from the Personnel. (53% frauds by internal people) (A.6)
  • Physical and Environmental Security (A.7)
  • Business Continuity Management (A.11)
  • Compliance (A.12)
Technical Requirements
A.8:    Communication & Operational Management – Focuses on basic infrastructure
A.9:    Access Control – Network only- No Physical. For Physical details under A7.
A.10:  System Development & Maintenance - Focuses on Software Development.

Total 36 Objectives and 127 Controls:
  1. Basic Focus of ISMS: Predictability & Repeatability
  2. Procedural Security & Technical (Product) Security
  3. Preventive Controls – Firewall,
  4. Detective Control: IDS.
  5. All Assets impacting CIA are termed as Information Assets.
  6. Users are all those having access to all information assets.
Section 7
  • Continual Improvement
  • Corrective Action
  • Preventive Action 
ISO Organization Implications
Management, Employees, Customers/Users, Share Holders, Company Culture, Ownership, Legislation

Success of ISMS Depends
  • Policies, objectivities and activities match business needs and requirements.
  • Develop ISMS in line with existing Organizational Culture
  • Change Management-
  • Preventive Controls rather than Detective controls
  • Awareness
  • Commitment from Management
  • Identify Information Assets impacting CIA
  • Understanding of Security & Risk
  • Effective marketing of security within the organization.
  • Distribution of guidelines on policy and procedures.
  • Training & education
  • PDCA 
Management Commitment
  • Policy
  • Objectives
  • Roles & responsibility
  • Communication
  • Resources
  • Levels of Risks
 Scope of ISMS:
Define scope based on Business Characteristics, Organizational Characteristics, Locations, Information Assets and Technology
Scope defines the ISMS deployed for all Information Assets- For Basic Focus on identified Information Assets for effective controls with geographical and logical boundaries.

Source: Globalmanagergroup.com
Posted by ISOConsultant at 6:46 AM 5 comments
Labels: , , , ,
Subscribe to: Posts (Atom)