© 2013 Cambridge Technical Communicators Slide 1

ISO/IEC 27001

Standard for Information Security Management

Systems

© 2013 Cambridge Technical Communicators Slide 2

Information Security Requirements

• ISO 27001 specifications• ISO 27002 code of practise

• Download from BSI website: http://17799.standardsdirect.org

• Information Security Forum (ISF) publish the 2007 Standard of Good Practise (SoGP)

© 2013 Cambridge Technical Communicators Slide 3

Process

• A) Identify information security risks: threats, vulnerabilities and impacts

• B) Design/implement information security controls: risk management - risk avoidance/risk transfer

• C) Maintain security policy/adopt management process

© 2013 Cambridge Technical Communicators Slide 4

ISMS

• Information Security Management System

• Broad set of general and IT-specific policies and controls that span the organisation

• Include IT, HR, management, business continuity, incident management and other business functions/areas:

© 2013 Cambridge Technical Communicators Slide 5

Examples

• Teleworking/home working: access to data

• Training staff: on information security issues and procedures

• Recruitment: security checks,

• Data retention policies: how long, where stored, how backups are made, who can assess

• Staff roles: security permissions, access to sensitive information

• Access to data by third parties and suppliers

© 2013 Cambridge Technical Communicators Slide 6

Certification process

• Stage 1 - informal review of security documentation

• Stage 2 - formal and detailed compliance audit

• Stage 3 - Follow-up reviews and audits

© 2013 Cambridge Technical Communicators Slide 7

Security Documents

• Security policy document

• Statement of Applicability (SoA)

• Risk Treatment Plan (RTP)

• Not all requirements in ISO 27001 are mandatory. You

can also define the scope to be covered by the security

policy

© 2013 Cambridge Technical Communicators Slide 8

Mandatory requirements

• Define scope • Define ISMS policy• Define roles and responsibilities • Define the risk assessment approach &

criteria for accepting risk • Define a level of acceptability of risk • List assets & define owners• Identify threats, vulnerabilities, impact,

likely-hood and risk for each asset

© 2013 Cambridge Technical Communicators Slide 9

Mandatory requirements

• Estimate levels of risk and define if risks are acceptable or not

• Define risk options (accept, transfer, avoid or reduce) for risks that are not acceptable

• List controls to implement • Manage lifecycle of documentation • Obtain management approval of residual;

risks and for implementation plan • Manage resources

© 2013 Cambridge Technical Communicators Slide 10

Mandatory requirements

• Manage communications • Implement controls • Implement metric for each control • Monitor performance of the

controls • Review effectiveness of the

controls • Corrective actions • Preventive actions • Internal audits

• Management reviews • Write statement of

applicability

© 2013 Cambridge Technical Communicators Slide 11

ISMS Project Plan

• Identify documents and procedures required by ISO 27001;

Locate templates and forms

• List activities to implement security plan:

define scope; gap analysis, asset identification, risk assessment, SOA, policies, business continuity, internal audit

© 2013 Cambridge Technical Communicators Slide 12

Thank you

We appreciate your interest in CTC

Tel: +44 0870 803 2095Email: info@technical-communicators.com

Web: www.technical-communicators.com