|
Quality Improvement Services
Ltd
|
|||
A walk through of the requirements of ISO 27001
and ISO 27002
Index
What
are the standards and how do they fit together
Minimising
the impact of an incident
|
Quality Improvement Services
Ltd
|
|||
What are the standards and how do they fit
together
o ISO 27001:
2005 Information Technology ?Security Techniques ?Information Security Management
Systems ?requirements which were issued at the end of 2005 replaced BS 7799-2.?
This is the standard to which companies gain approval, similar to ISO
9001 for quality.
o ISO 27002
Information Technology ?Security Techniques - Code of Practice for information
security management - is a comprehensive code of practice and not all of the
subjects will be appropriate to all companies. As part of the requirements
of ISO 27001 you are required to produce a statement of applicability of the
133 requirements see ISO 27001 Annex A.
o BS 25999-1:2006
Business Continuity Management is another standard to which you can gain approval
independently of ISO 27001.?When first
issued it was the fastest selling British Standard ever.?The standard places less emphasis on IT Security
and requires that the company look at how they would maintain the service
after any type of disaster affecting the business.
|
Quality Improvement Services
Ltd
|
|||
Customer Confidence ?Evidence from an
independent organisation that we have good IT Security Systems, customers may supply
or provide access to confidential data e.g. NHS or allow access to data that
must remain secure e.g. banking, web sites
Market Perception ?Often a tick in a box in
bids or tenders but a stumbling block if the tick is not there
Legislation ?A controlled method of ensuring
compliance with legislation
Protects Valuable Assets?- The risk of information theft, loss or
corruption is minimised
An Opportunity to Continually Review ?ISO
27002 is a checklist of good management practices and the introduction of
the requirements provide a chance to look at our strengths and weaknesses
A Forum for Improvement ?The standard is concerned
with measurement and improvement and creates a structure that helps us to look
at how we can improve
Raising the Priority –The prime business that
earns revenue is always the number one priority and anything else comes second
place, seeking ISO 27001 approval raises the priority of some of the other
issues that would normally never make the top of the list.
Attention to Detail -?It is easy in haste to move things forward and
overlook the details such as keeping records up to date, the internal and
external audits act as a check/reminder to do this.
Quality Improvement Services
Ltd
We tend to think of computers and viruses when we think of IT
risks, but paper records of contracts may be equally important.?As we look at the sources of risk we realise
that we are not just talking about having a firewall or backing up data the
physical security of the building, theft of laptops from cars, staff giving out
confidential information are all things we need to consider.?We need to assess the risk of each type of
incident, determine the impact on the organisation and the appropriate action
to be taken.?One of the greatest risks
is the introduction of new technology and there have been some very costly
failures of new IT systems.
|
PEOPLE
|
TECHNOLOGY
|
FIRE
|
|
THEFT |
OTHER SOURCES |
ENVIRONMENT |
|
Quality Improvement Services
Ltd
|
|||
Minimising the impact of an incident
The key to the whole process is the assessment of risks, it
provides a means of evaluating the action you should take and also the
justification of not taking action on some occasions.?The standard does not require you to have the
best IT systems available on the market, just systems appropriate to your
business and needs.?This can be turned
into a complex and costly exercise both in time and purchase of un-necessary
systems ?be warned there are simple solutions.
|
Quality Improvement Services
Ltd
|
|||
FIVE MAIN SECTIONS
Section 4 Information Security Management System
Section 5 Management Responsibilities
Section 6 Internal ISMS Audits
Section 7 Management Review of the ISMS
|
Quality Improvement Services
Ltd
|
|||
ISO 27001 Section 4 Information Security Management
System
Scope and
Policy
Risk
Assessment, Treatment and Management
Statement
of Applicability (ISO 17799)
Monitoring,
Reviewing and Improvement
Documentation
Requirements
|
Quality Improvement Services
Ltd
|
|||
Management
Commitment
Resource
Management
Training,
Awareness and Competence
|
Quality Improvement Services
Ltd
|
|||
Section 6 Internal ISMS Audits and Section
7 Management Review of the ISMS
Internal ISMS Audits
Management Review Process
Results of Internal Audits
Feedback from Interested
Parties
Processes and Procedures
Preventative and Corrective
Action
Vulnerability or Threats
Follow-up Action
Changes Affecting ISMS
Recommendations for Improvement
|
Quality Improvement Services
Ltd
|
|||
ISO 27001 Section 8 ?ISMS Improvement
Continual
Improvement
Corrective
Action
Preventative
Action
|
Quality Improvement Services
Ltd
|
|||
TWELVE MAIN SECTIONS
Risk Assessment and
Treatment
Security Policy
Organisation of Information
Security
Asset Management
Human Resources Security
Physical and Environmental
Security
Communications and
Operational Management
Access Control
Information System
Acquisition, Development and Maintenance
Information Security
Incident Management
Business Continuity
Management
Compliance
|
Quality Improvement Services
Ltd
|
|||
ISO 27002 Critical Success Factors
o Information
security policy, objectives and activities that reflect business objectives
o An approach
and framework to implementing, maintaining, monitoring and improving information
security that is consistent with the organisational culture
o Visible support
and commitment from all levels of management
o A good understanding
of the information security requirements, risk assessments and risk management
o Effective
marketing of information security to all managers, employees and other parties
to achieve awareness
o Distribution
of guidance information, security policy and standards to all managers, employees
and other parties
o Provision
to fund information security management activities
o Providing
appropriate awareness, training and education
o Establishing
an effective information security incident management process
o Implementation
of a measurement system that is used to evaluate performance in information
security management and feedback suggestions for improvement
|
Quality Improvement Services
Ltd
|
|||
|
Quality Improvement Services
Ltd
|
|||
QIS’s software tools to
simplify control
Gap analysis ?Review ISO
27002 requirements against current practices identify gaps complete draft
Statement of Applicability (SoP)
Consolidate Current
Practices
Assess - Risk v Assets
Introduce Improvement
Obtain Approval
|
Quality Improvement Services
Ltd
|
|||
